Solved: Issue with Bearer in Decode JWT Policy

Rohit_Kancharla · 03-26-2024 09:29 AM

API proxy is receiving JWT which is not dispensed by Apigee. Request header is "Auth-1: Bearer {JWT}".

I want to decode the JWT and extract claims. Only when "Bearer" is in the request header, Apigee throws:

Invalid JWS header: Invalid JSON: Unexpected token �z��&�r#�%%3#Sb"�'G�"�$�uB"�&��B"�'S&�7T�t�d�%7��#&�3g�4�$�$�4�FF�Vu���' at position 84.

If there is no "Bearer" in the Auth-1 header, I am able to successfully decode the JWT and extract the claims.

Note: I am using "Source" element in my "Decode JWT" policy.

Do I have to use JS to strip "Bearer" from the Auth-1 header

or

is there any out-of-the-box solution provided Apigee Edge?

dchiesa1

Note: I am using "Source" element in my "Decode JWT" policy.

Do I have to use JS to strip "Bearer" from the Auth-1 header

or

is there any out-of-the-box solution provided Apigee Edge?

Yes - the workaround is to "strip the Bearer prefix", or, use the Authorization header - and Apigee will strip the Bearer for you, automatically.

There is no way to tell the policy "please strip the bearer prefix", when you use the Source element.

An easy way to do this "stripping" is to use the ExtractVariables policy, configured like this:

<ExtractVariables name='EV-JWS'>
  <Source>request</Source>
  <VariablePrefix>extracted</VariablePrefix>
  <Header name='Auth-1'>
    <Pattern>Bearer {jwt}</Pattern>
  </Header>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
</ExtractVariables>

This will tell Apigee to look in the request header called Auth-1 , for a pattern that looks like Bearer XXX, and if found, it will populate a variable called extracted.jwt with the contents of the XXX . And then you shoulduse extracted.jwt as the value inside the <Source> element for the DecodeJWT policy.

View solution in original post

dchiesa1

Note: I am using "Source" element in my "Decode JWT" policy.

Do I have to use JS to strip "Bearer" from the Auth-1 header

or

is there any out-of-the-box solution provided Apigee Edge?

Yes - the workaround is to "strip the Bearer prefix", or, use the Authorization header - and Apigee will strip the Bearer for you, automatically.

There is no way to tell the policy "please strip the bearer prefix", when you use the Source element.

An easy way to do this "stripping" is to use the ExtractVariables policy, configured like this:

<ExtractVariables name='EV-JWS'>
  <Source>request</Source>
  <VariablePrefix>extracted</VariablePrefix>
  <Header name='Auth-1'>
    <Pattern>Bearer {jwt}</Pattern>
  </Header>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
</ExtractVariables>

This will tell Apigee to look in the request header called Auth-1 , for a pattern that looks like Bearer XXX, and if found, it will populate a variable called extracted.jwt with the contents of the XXX . And then you shoulduse extracted.jwt as the value inside the <Source> element for the DecodeJWT policy.

Rohit_Kancharla

Thanks, Dino!