Manual Chapter : API Protection: APM Use Cases

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

API Protection: APM Use Cases

API protection: Validating JWT tokens for all API calls

In this example, the JWT access token is extracted and validated for all API calls. When the JWT token is validated successfully, the API request is classified based on path and method and assigned a specific API server.
To develop this example, you need to
  • Create an API protection profile that defines the paths, servers, and responses preferably using an OpenAPI spec file.
  • In the protection profile, for
    Authorization
    , use
    OAuth 2.0
    .
  • On the Access Control tab, click
    Edit
    to see the visual representation of the per-request policy that was created.
  • In the visual policy editor, edit the policy as needed for the API being protected.
Here is an example per-request policy configuration that validates JWT tokens for all API requests.

How it works

  1. Access Policy Manager receives an API request with an authorization header containing a JWT access token.
  2. The access token is extracted from the authorization header.
  3. For all API requests, the OAuth Scope agent validates the access token.
  4. If OAuth validation fails, an appropriate response object is selected based on the validation error. This response object can be overwritten by configuring an explicit Response Selection agent in the fallback branch, which encapsulates the HTTP status, header, and body information.
  5. When the Access token is successfully validated, the Request Classification agent classifies the API request based on the request path and method.
  6. Additional branch rules are applied to a path (
    GET /pet/findByStatus ()
    ) for identifying valid status. An example branch expression that you can use is:
    expr {[lsearch {available pending sold} [mcget {request.query.status}]] != -1}
    An appropriate response is returned for the API request if the branch expression fails.
  7. For a specific path (
    GET /department ()
    ), the API Server Selection agent chooses the appropriate API server to which to send the request.

API protection: Validating JWT tokens for specific API calls

In this example, the JWT access token is extracted and validated for selected API calls. All incoming API requests are classified based on path and method. The JWT access token is extracted and validated for requests with specific path IDs.
To develop this example, you need to
  • Create an API protection profile that defines the paths, servers, and responses preferably using an OpenAPI spec file.
  • In the protection profile, for
    Authorization
    , use no authorization.
  • On the Access Control tab of the protection profile, for
    SSO Configuration
    , select an OAuth Bearer SSO configuration.
  • On the Access Control tab, click
    Edit
    to see the visual representation of the per-request policy that was created.
  • In the visual policy editor, edit the policy as needed for the API being protected.
Here is an example per-request policy configuration that validates JWT tokens for a specific set of API requests.

How it works

  1. Access Policy Manager receives an API request with an authorization header containing a JWT access token.
  2. The Request Classification agent classifies the API request based on its request path and method.
  3. For a specific path (
    POST /pet ()
    ), the JWT access token is extracted from the authorization header.
  4. The OAuth Scope agent validates the access token.
  5. If OAuth validation fails, an appropriate response is returned for that API request. You need to configure the Response Selection agent to select the correct response object, which encapsulates HTTP status, header, and body information.
  6. On successful validation of the JWT access token, the API request is sent to the default API server associated with the API protection profile.
  7. For a specific path (
    GET /department ()
    ), the API Server Selection agent chooses the appropriate API server to which to send the request.
  8. Additional branch rules are applied to another path (
    GET /pet/findByStatus ()
    ) for identifying valid status. An example branch expression that you can use is:
    expr { [ lsearch { available pending sold } [ mcget {request.query.status} ] ] != -1 }
    An appropriate response is returned for the API request if the branch expression fails.

API Protection: JWT SSO with Token Conversion

In this example, you assign an OAuth Bearer SSO configuration to the API protection profile. The system generates a custom JWT token, and sends it as an OAuth bearer token in the outgoing API request.
The per-request policy attached to the API protection profile extracts the JWT access token from the authorization header in the API request. The OAuth scope agent validates and sets subroutine variables. You can assign the OAuth bearer SSO configuration to specific API request paths in the per-request policy. The OAuth bearer SSO configuration generates a JWT access token using the claims configuration, and sends it to the API server as an OAuth Bearer token.
To develop this example, you need to
  • Create an API protection profile that defines the paths, servers, and responses preferably using an OpenAPI spec file.
  • In the protection profile, for
    Authorization
    , use
    OAuth 2.0
    .
  • On the Access Control tab of the protection profile, for
    SSO Configuration
    , select an OAuth Bearer SSO configuration that was previously created.
  • On the Access Control tab, click
    Edit
    to see the visual representation of the per-request policy that was created.
  • In the visual policy editor, edit the policy as needed for the API being protected.
You need to have created an OAuth Bearer SSO configuration (
Access
Single Sign-On
OAuth Bearer
). You associate it with the protection profile on the Access Control tab.
Here is an example OAuth Bearer SSO configuration for generating a new JWT access token:
You associate the OAuth Bearer SSO configuration on the Access Control tab of the API protection profile.
In the visual policy editor, select the OAuth bearer SSO configuration using the SSO configuration agent in the per-request policy.
Here is the example per-request policy configuration that converts a JWT token to an OAuth Bearer token before sending it to the API server.

How it works

  1. Access Policy Manager receives an API request with an authorization header containing a JWT access token.
  2. The access token is extracted from the authorization header.
  3. For all API requests, the OAuth Scope agent in the subroutine validates the access token.
  4. If OAuth validation fails, the system returns an appropriate response for that API request. You need to configure the Response Selection agent to select the correct response object, which encapsulates HTTP status, header, and body information.
  5. On successful validation of the JWT access token, the system applies an SSO configuration to all requests.
  6. The Request Classification agent classifies the API request based on its request path and method.
  7. For a specific path (
    GET /department ()
    ), the API Server Selection agent chooses the appropriate API server to which to send the request. The system applies an OAuth bearer SSO configuration to generate a custom JWT access token for the selected API server.
  8. Additional branch rules are applied to another path (
    GET /pet/findByStatus ()
    ) for identifying valid status. An example branch expression that you can use is:
    expr { [ lsearch { available pending sold } [ mcget {request.query.status} ] ] != -1 }
    If the branch expression fails, the system returns an appropriate response for the API request.