API Connect

API Connect

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.


#API Connect
#Applicationintegration
#APIConnect
 View Only
Back to discussions
Expand all | Collapse all

How can I restrict a user with one time access when JWT token with 30secs TTL is used for invocation

  • 1.  How can I restrict a user with one time access when JWT token with 30secs TTL is used for invocation

    Posted Mon February 13, 2023 06:11 AM

    Hi All,

    I am generating JWT token and verifying it using Policy Nodes in Assembly(JWT-Generate & JWT-Validate).

    Can we stop a call when we hit an API with the same JWT token more than one time with in the expiry time?

    Consider a scenario where I kept TTL of JWT token is 30'secs. My Enduser is invoking the API 10 times in 30'secs with the same token. I need to restrict this, an end user should invoke the API one with one token  which is generated and if he is invoking the same API with same token another time within 30'secs an error message should be generated like "Token already used for one time. Generate token again and please comeback!!".

    If yes, please guide me in this. And we try to achieve this by invoking the API with same token with in the TTL as many times as we can, until the token expires we didn't get succeeded.

    So please anyone knowing about this issue can suggest me the best way to achieve this.

    Doubt:

    Runtime will generate the token this is for sure but when the time of verifying the generated token from where it is comparing both the generated and verifying token. So my question is where will the runtime store the generated token. If i want to access the token from stored location where will i get that.



    ------------------------------
    Vyasavardhan Ramagiri
    ------------------------------


  • 2.  RE: How can I restrict a user with one time access when JWT token with 30secs TTL is used for invocation

    Posted Mon February 13, 2023 03:29 PM

    Hi Vyasavardhan, 

    I have escalated this question to our team - one person provided an answer but still waiting to see if we have a more detailed explanation. In the meantime, this is what one of members said:  "it's definitely possible using SLM in DataPower so it's should be possible in APIC.  Where I've done this before in DP you match on the jti claim."

    I am waiting to see if there is something more detailed from our end but let me know if this helps at all. 



    ------------------------------
    Gabriel Marte Blanco
    Austin TX
    ------------------------------

    Original Message


  • 3.  RE: How can I restrict a user with one time access when JWT token with 30secs TTL is used for invocation

    Posted Tue February 21, 2023 12:13 AM

    Hi @Steve Linn 
    Could you please take this into consideration. Thanks




    ------------------------------
    Vyasavardhan Ramagiri
    ------------------------------

    Original Message


  • 4.  RE: How can I restrict a user with one time access when JWT token with 30secs TTL is used for invocation

    Posted Fri March 03, 2023 09:39 AM

    DP has one time use access_token - unfortunately using the JWT grant type can be submitted many times until the JWT expires (So even if the access_token is one time use, this is useless - as attackers can get lots of one time use access_token based on that unexpired JWT -- strike this

    DP also has replay attack protection (per instance) - this is not exposed to APIGW, in theory, you can use call-rule to call to this replay filter that is supported on DP (and use either jti, or nonce of the JWT for identifying the token) -- of course if you have 3 instances of apigw, there is a possibility of replaying 3 times



    ------------------------------
    Shiu Poon
    Senior Technical Staff Member - Security/Integration
    IBM
    San Jose CA
    ------------------------------

    Original Message


Related Content