Extract user information from JWT in sideband mode - PingIntelligence for APIs

Extract user information from JWT in sideband mode - PingIntelligence for APIs - 5.2

PingIntelligence

bundle

pingintelligence-52

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.2 (Latest)

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-52

pingintelligence

private

ContentType_ce

The API Security Engine (ASE) supports the decoding of transparent JSON Web Token (JWT) received as part of API requests. ASE extracts the user information from the JWT and logs it in ASE access logs. The API Behavioral Security (ABS) AI Engine analyzes these access logs to generate reports and detect attacks.

The following diagram shows the traffic flow when ASE is in sideband mode.

Diagram of traffic flow when the ASE is in sideband mode

A JWT consists of a header, a payload, and a signature. They are concatenated with periods(.). The following is a sample JWT structure.

ASE decodes the payload to extract user information from a JWT. It can decode JWTs received as part of request headers or query strings. In sideband mode, ASE supports only Bearer scheme in the Authorization header.

Note:

ASE does not validate JWTs. It just decodes the JWTs and extracts the user information.

ASE supports a list of usernames in JWT. When the username claim in the payload is an array with multiple elements, ASE extracts the first element of the array. The elements in the array can be strings or numbers and the array should be a valid JSON array.

Note:

ASE supports arrays only for username claims in the payload. It does not support arrays in clientid or location claims.

When deployed in sideband mode, ASE receives the API request information from the gateway policy and extracts the metadata. The user_info object contains the user information along with other metadata. The following is an example snippet of information received by ASE from API gateway:

{
 “source_ip”: “127.0.0.1 ",  
 “source_port”: 12345,  
 “method”: “GET”, 
 “url”: “/api3?query=eyJ0eXAiOiJKV1QiLCJhbGciHuDXOyfQqAnoXC4bA&abc=xyz”, 
 “http_version”: “1.1”, 
 “user_info”:[{“username”:“abc”,“client_id”:“cabfsghhbsag”}], 
  “headers”: [ { “host”: “shop.com” },
     	     { “content-type”: “application/xml” },
               { “content-length”: “100” },
               { “x-forwarded-for”: “dev.pxy.com” }, 
               { “user-agent”: “Mozilla/5.0 (X11; Linux x86_64)
			   AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36” } 
             ]
}

ASE extracts the user information from the user_info object, JWT or both. The following scenarios explain the different ways in which ASE extracts user information:

If the gateway policy sends the user_info object with username and clientid, ASE does not decode the JWT. It extracts the user information from the user_info object.
If the gateway policy sends the user_info object without username and clientid, ASE decodes the JWT to extract the information.
If the gateway policy sends the user_info object without a username, but with clientid, ASE decodes the JWT and extracts username from the JWT and client identifier from the user_info object.
If the gateway policy sends the user_info object with a username, but without a clientid, ASE decodes the JWT to extract clientid and captures the username from the user_info object.
If the gateway policy does not send user_info object or sends an invalid user_info object, ASE decodes the JWT to extract the username and clientid information if available.

Note:

If the JWT decoding fails, the API request is not blocked. ASE logs the information got from the gateway policy in the access logs.