Hi,
In Apigee proxy URL we are trying to authenticate user by Azure AD here below is our configuration:
Step 1. :First we are fetching public key by service callout policy using URL : https://XXXXXXXX/v2.0/keys and storing response in jwksRequest variable
Step 2 : Created second policy type Java script and parsing JSON Object retrieved from jwksRequest.content and retrieving public key from Json array object in variable jwks then assigning inside context to variable myjwks to use it in next verify JWT policy
Step 3 : Created VerifyJWT policy and using public key retrieved from previous step in ref variable myjwks
So when we use Configuration as mentioned below in above policy
<PublicKey>
<Value ref="myjwks"/>
</PublicKey>
We get error cannot instantiate public key as in below screenshot |
And using directlty JWKS as like this below
We get error : Invalid Key configuration : policy(Verify-JWT-1) element(PublicKey)
Note : We are passing JWT Token from Postman in Authorization bearer Token.
Please let us know if above configuration is correct or needed any more details.
Thank you!
Hi @Sanket_kokne ,
Please, avoid creating a new topic for the same issue. You already created one yesterday here, just reply to that one - that's the benefit of a forum like this. Keep the conversation on the same topic going forward please.
I see that you tried pointing the PublicKey to the JWKS as I suggested in your original post here. Per the error you're getting "Invalid Key configuration", it looks like your JWKS uri is either incorrect or the format is not valid. Can you please check if your JWKS uri is giving you a response in the format like below? Apigee must receive a valid JWKS similar to the below in order for it to work. Also, it's worth mentioning that the JWKS uri must be publicly accessible so Apigee can reach it. The JWK RFC sample for your reference is here.
{"keys":
[
{"kty":"EC",
"crv":"P-256",
"x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
"y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
"use":"enc",
"kid":"1"},
{"kty":"RSA",
"n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
"e":"AQAB",
"alg":"RS256",
"kid":"2011-04-29"}
]
}
Hi @pablosan Thank you for quick response, here below is our JWKS URI response format
Same URI response working perfectly fine with our backend application.
{
"keys": [
{
"kid": "XXXXXXXXSdpK8MSrs39FDreBVnxmFne8qLo",
"use": "sig",
"kty": "RSA",
"e": "AQAB",
"n": "XXXXXXXMPslG1Tz6HkwYV6kS42zRGBkchePGcwT9He2iZ_DXvLyfW4amJ-lI7H3xUYGid-5PH4Mr5A9ekBi1ElYIwu-zsfSwwynoSyjXZFYYLP33TXMWltnOB9w6Ey8xKcqbzsAkD9pSWCihQ-tjfHkz7sRJ1e7gWnXgFsgTdw3dkRKm5ZznmdGK1Boyn8iPIob8nRJ_sclIrFrItwYWyIzF6gCoiQ7msOoacNi3IoHkSG58pkD5JnCVp1fw6nmQF3_Mx4bI1YFum8iLFSfAiVo3M4d7Xs1Xoa0ALpP3IsR6V5Hepk34hTWh4J7Uj-Q"
}
]
}
This is our policy as you suggested:
JWKs uri is also publicly accessible, but still we are getting error as mentioned below:
Invalid Key configuration : policy(Verify-JWT-1) element(PublicKey)
Please let us know if required to make any change.
Thank you!
My opinion kindly understand the sequence of the flow involved with in JSON Web Key Set (JWKS) to verify a JWS/JWT as stated below link & follow thru..It is harder for me atleast to understand the url's and the values setup with in the proxy. If there is a way to talk/screen share will help troubleshoot but I bet some mis-configuration is causing issues. Other alternate is to test via sample java application to verify the behavior & mimic back the setup using apigee.
Ref:
This is the basic sequence that Edge (or any platform that works with JWKS) needs to perform to work with a JWS/JWT that has a JWKS:
Are you sure your JWKS URI is correct? Does it end with /v2.0/keys ? Why do you include p=B2C_1A_SIGNUP_SIGNIN as a query parameter to your JWKS uri? I believe It should not be there. According to this documentation from Microsoft, The JWKS URI for Azure AD B2C should be something like this:
https://TENANT_NAME.b2clogin.com/TENANT_NAME.onmicrosoft.com/POLICY_NAME/discovery/v2.0/keys
...where TENANT_NAME is replaced by an appropriate value for you.
The older version of this might have been:
https://login.microsoftonline.com/TENANT_ID/discovery/v2.0/keys
...where TENANT_ID is a GUID.
If you have a custom Azure AD signin policy, then, you should use this:
https://TENANT_NAME.b2clogin.com/TENANT_NAME.onmicrosoft.com/POLICY_NAME/discovery/v2.0/keys
The older version of this is
https://login.microsoftonline.com/TENANT_NAME.onmicrosoft.com/discovery/v2.0/keys?p=POLICY_NAME
It may be that the URI is incorrect, which is why you see the runtime error you see. "Invalid Key Configuration" says that the policy cannot retrieve valid keys. There's a different error ("No matching public key") if the policy can retrieve keys from the URI, but does not find a match.