The Secret Weapon: DataWeave JWT Library
We are utilizing the specific DataWeave JWT library. It does the heavy lifting for us, providing built-in functions to handle RSA and HMAC signatures. Instead of manually calculating headers and Base64 encoding strings, we let the library handle the math.
Prerequisites
Before we start coding, make sure you have your environment ready:
- MuleSoft Anypoint Studio is installed and running.
- You have a Private RSA key saved in a text file (we will need to read this).
- A basic understanding of how DataWeave transforms data.
Step 1: The Main Script
This is where the magic happens. We need to read your private key, clean it up, and generate the signed token.
What is happening here?
- Imports: We bring in
jwt::RSAfor the signing logic anddw::core::Binariesto handle the file data correctly. - Cleaning the Key: This is the most critical step that trips up developers. The
privatekeyvariable reads your text file but immediately usesreplacefunctions. We strip out newlines (\n), carriage returns (\r), and tabs to ensure the key is a single, clean string. If you skip this, the RSA signing will likely fail. - Generating the Token: We call the
JWTfunction. It creates the signature using your header, payload, the cleaned private key, and the specific algorithm"Sha256withRSA". - Expiration: We manually calculate an expiration field for the response, setting it to 3550 seconds from now.
The Code:
%dw 2.0
import * from jwt::RSA
import * from dw::core::Binaries
output application/json
input payload application/json
var privatekey = readUrl("classpath://myprivateKey-certificate-file.txt","text") replace "\n" with "" replace "\r" with "" replace "\t" with "" replace "\b" with ""
---
{
token: JWT(
vars.jwtheader,
vars.jwtpayload, privatekey, "Sha256withRSA"
),
expiration: now() + |PT3550S|
}
Step 2: The Header Script
The header acts as the ID card for your token, telling the receiver how to read it.
Breakdown:
We define a variable header containing the Algorithm (RS256) and the Type (JWT). This is standard for RSA-signed tokens.
The Code:
%dw 2.0
output application/json
var header = {
"alg": "RS256",
"typ": "JWT"
}
---
header
Step 3: The Payload Script
The payload contains the actual data (claims) you want to transmit.
Understanding the Claims:
iss(Issuer): Usually your client ID.iat(Issued At): The timestamp of creation.exp(Expiration): We set this to 1 hour from now using|PT1H|.aud(Audience): The intended recipient of the token (e.g., Microsoft Online).jti: A unique identifier for this specific token request.
The Code:
%dw 2.0
output application/json
---
{
"iss": p('client-id'),
"iat": now() as Number,
"exp": (now() + |PT1H|) as Number,
"aud": "https://login.microsoftonline.com/$TenantId/oauth2/token",
"jti": uuid(),
"sub": p('client-id')
}
Why Use This Approach?
Using the DataWeave JWT library abstracts the complexity of cryptographic mathematics. You ensure your integrations are secure, maintainable, and clean without managing external Java libraries or complex Groovy scripts.
Conclusion
Generating secure tokens shouldn't be a headache. By properly cleaning your private key and utilizing MuleSoft's native DataWeave modules, you can implement robust security standards quickly. Happy coding!