Issue challenge for admin user in JWT claim based on attack score

Note

To use claims inside a JSON Web Token (JWT), you must first set up a token validation configuration in API Shield.

This example configures additional protection for requests with a JSON Web Token (JWT) with a user claim of admin, based on the request’s attack score.

Create a custom rule that issues a Managed Challenge if the user claim in a JWT is admin and the attack score is below 40.

• Expression: (lookup_json_string(http.request.jwt.claims["<TOKEN_CONFIGURATION_ID>"][0], "user") eq "admin" and cf.waf.score < 40)
• Action: Managed Challenge

In this example, <TOKEN_CONFIGURATION_ID> is your token configuration ID found in JWT Validation and user is the JWT claim.