update README and add docs to the JWT-json policy

jwt_signed/apiproxy/README.md

@@ -41,14 +41,15 @@ environment. The cache should be named 'cache1'.
 
 ## Invoking
 
-
 There are two kinds of requests you can make: generate and verify. There are two types of tokens: RS256 and HS256.
 
-Generate a token with alg=HS256:
+### Generate a token with alg=HS256
 
 ```
-    curl -i -X POST -d 'key=ThisSecretPassphraseMustBeAtLeast32CharactersLong' \
-         http://myorg-myenv.apigee.net/jwt_signed/create-hs256
+ORG=myorg
+ENV=test
+curl -i -X POST -d 'key=ThisSecretPassphraseMustBeAtLeast32CharactersLong' \
+     https://$ORG-$ENV.apigee.net/jwt_signed/create-hs256
 ```
 
 The formparam key is the shared secret that is used to produce the HMAC.
@@ -73,10 +74,10 @@ If you use a key of the appropriate length, the response is something like this:
 }
 ```
 
-To verify a token with HS256:
+### Verify a token with HS256
 
 ```
-curl -i -X POST http://myorg-test.apigee.net/jwt_signed/validate-hs256 \
+curl -i -X POST https://$ORG-$ENV.apigee.net/jwt_signed/validate-hs256 \
    -d "jwt=JWT_HERE&key=ThisSecretPassphraseMustBeAtLeast32CharactersLong"
 ```
 
@@ -93,21 +94,27 @@ Response:
 ```
 
 
-To Generate a token with alg=RS256:
+### Generate a token with alg=RS256
 
 ```
 curl -i -X POST -d '' http://myorg-myenv.apigee.net/jwt_signed/create-rs256
 ```
 
 
-Verify a token with RS256:
+### Verify a token with RS256
 
 ```
-$ curl -i -X POST http://myorg-test.apigee.net/jwt_signed/validate-rs256 \
+curl -i -X POST https://$ORG-$ENV.apigee.net/jwt_signed/validate-rs256 \
    -d "jwt=JWT_HERE"
 ```
 
-Verify the example token from the OpenID Connect spec:
+### Generate a token with alg=RS256 using a JSON string as a source for claims
+
+```
+curl -i -X POST -d '' http://myorg-myenv.apigee.net/jwt_signed/create-rs256-json
+```
+
+### Verify the example token from the OpenID Connect spec
 
 ```
 curl -i -X POST http://myorg-test.apigee.net/jwt_signed/validate-openid \
@@ -122,10 +129,10 @@ configuration for policy JavaCallout-JWT-Parse-OpenIDConnect for details.
 
 
 
-Verify a token generated by Azure Active Directory:
+### Verify a token generated by Azure Active Directory
 
 ```
-  curl -i -X POST http://myorg-test.apigee.net/jwt_signed/validate-ms \
+  curl -i -X POST https://$ORG-$ENV.apigee.net/jwt_signed/validate-ms \
     -d "jwt=eyJ....."
 
 ```
@@ -137,10 +144,10 @@ AD.  Here's a page that can help you test this:
 http://dinochiesa.github.io/openid-connect/aad-login.html
 
 
-Verify a token generated by Google:
+### Verify a token generated by Google
 
 ```
-  curl -i -X POST http://myorg-test.apigee.net/jwt_signed/validate-goog \
+  curl -i -X POST https://$ORG-$ENV.apigee.net/jwt_signed/validate-goog \
     -d "jwt=eyJ....."
 
 ```
@@ -152,13 +159,13 @@ Google. Read about that [here](https://developers.google.com/identity/protocols/
 
 Once you register an app with Google, here's a page that can help you test OIDC signin:
 
-http://dinochiesa.github.io/openid-connect/goog-login.html
+https://dinochiesa.github.io/openid-connect/goog-login.html
 
 
-Verify a token generated by Salesforce.com:
+### Verify a token generated by Salesforce.com
 
 ```
-  curl -i -X POST http://myorg-test.apigee.net/jwt_signed/validate-sf \
+  curl -i -X POST https://$ORG-$ENV..apigee.net/jwt_signed/validate-sf \
     -d "jwt=eyJ....."
 
 ```
@@ -171,13 +178,13 @@ Salesforce. Look [here](https://help.salesforce.com/articleView?id=remoteaccess_
 
 Once you register an app with Salesforce, here's a page that can help you test OIDC signin:
 
-http://dinochiesa.github.io/openid-connect/sf-login.html
+https://dinochiesa.github.io/openid-connect/sf-login.html
 
 
 
 
 
-## Commentary:
+## Commentary
 
 The Java code includes two classes, one for JWT creation, and one for parsing.
 Configuring the Java callouts is done in the policy XML, using properties.
@@ -204,7 +211,7 @@ For example, this is how to configure the JWT creation with algorithm=HS256, whi
   </Properties>
 
   <ClassName>com.apigee.callout.jwt.JwtCreatorCallout</ClassName>
-  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.15.jar</ResourceURL>
+  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.16.jar</ResourceURL>
 </JavaCallout>
 ```
 
@@ -243,7 +250,7 @@ To configure JWT creation with private key signing using an RSA key:
   </Properties>
 
   <ClassName>com.apigee.callout.jwt.JwtCreatorCallout</ClassName>
-  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.15.jar</ResourceURL>
+  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.16.jar</ResourceURL>
 </JavaCallout>
 ```
 
@@ -273,7 +280,7 @@ configuration, using the private-key Property, like this:
     7ZOF1UXVaoldDs+izZo5biVF/NNIBtg2FkZd4hh/cFlF1PV+M5+5mA==
     -----END RSA PRIVATE KEY-----
     </Property>
-    <Property name="private-key-password">deecee123</Property>
+    <Property name="private-key-password">{private.pem_passphrase}</Property>
 
     <!-- standard claims -->
     <Property name="subject">{apiproxy.name}</Property>
@@ -288,10 +295,12 @@ configuration, using the private-key Property, like this:
   </Properties>
 
   <ClassName>com.apigee.callout.jwt.JwtCreatorCallout</ClassName>
-  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.15.jar</ResourceURL>
+  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.16.jar</ResourceURL>
 </JavaCallout>
 ```
 
+It's a good idea to load the  variable holding the passphrase - in this case `private.pem_passphrase` - from the encrypted KVM with a KVM lookup.
+
 You can generate a suitable DES3-encrypted public/private key pair with the command-line openssl tool, like this:
 ```
  openssl genrsa -des3 -out private-encrypted.pem 2048
@@ -319,7 +328,7 @@ To configure JWT parsing with HS256:
   </Properties>
 
   <ClassName>com.apigee.callout.jwt.JwtParserCallout</ClassName>
-  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.15.jar</ResourceURL>
+  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.16.jar</ResourceURL>
 </JavaCallout>
 ```
 
@@ -370,7 +379,7 @@ the policy to get that behavior. Like so:
   </Properties>
 
   <ClassName>com.apigee.callout.jwt.JwtParserCallout</ClassName>
-  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.15.jar</ResourceURL>
+  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.16.jar</ResourceURL>
 </JavaCallout>
 ```
 
@@ -400,7 +409,7 @@ To configure JWT parsing with RS256:
   </Properties>
 
   <ClassName>com.apigee.callout.jwt.JwtParserCallout</ClassName>
-  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.15.jar</ResourceURL>
+  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.16.jar</ResourceURL>
 </JavaCallout>
 ```
 
@@ -451,7 +460,7 @@ public-key property, like so:
   </Properties>
 
   <ClassName>com.apigee.callout.jwt.JwtParserCallout</ClassName>
-  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.15.jar</ResourceURL>
+  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.16.jar</ResourceURL>
 </JavaCallout>
 ```
 
@@ -499,11 +508,10 @@ certificate.
   </Properties>
 
   <ClassName>com.apigee.callout.jwt.JwtParserCallout</ClassName>
-  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.15.jar</ResourceURL>
+  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.16.jar</ResourceURL>
 </JavaCallout>
 ```
 
-
 or, like so:
 
 
@@ -523,7 +531,7 @@ or, like so:
   </Properties>
 
   <ClassName>com.apigee.callout.jwt.JwtParserCallout</ClassName>
-  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.15.jar</ResourceURL>
+  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.16.jar</ResourceURL>
 </JavaCallout>
 ```
 
@@ -550,7 +558,7 @@ those values:
   </Properties>
 
   <ClassName>com.apigee.callout.jwt.JwtParserCallout</ClassName>
-  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.15.jar</ResourceURL>
+  <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.16.jar</ResourceURL>
 </JavaCallout>
 ```
 

jwt_signed/apiproxy/policies/JWT-Create-RS256-JsonClaim.xml

@@ -13,7 +13,8 @@
     <Property name="audience">Optional-String-or-URI</Property>
     <Property name="expiresIn">3600</Property> <!-- in seconds -->
 
-    <!-- custom claims -->
+    <!-- custom claims derived from JSON strings -->
+    <!-- the property name must begin with claim_json_ -->
     <Property name="claim_json_account">{"allocations":[4,"seven",false],"verified":true,"id":1234}</Property>
     <Property name="claim_json_attributes">{user_attrs}</Property>