This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee Proxy URL Azure Ad Authentication

Posted on 01-04-2023 06:03 AM
Sanket_kokne
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

In Apigee proxy URL we are trying to authenticate user by Azure AD here below is our configuration:

Step 1. :First we are fetching public key by service callout policy using URL : https://XXXXXXXX/v2.0/keys and storing response in jwksRequest variable

Sanket_kokne_1-1672840758725.png

 

Step 2 : Created second policy type Java script and parsing JSON Object retrieved from jwksRequest.content and retrieving public key from Json array object in variable jwks then assigning inside context to variable myjwks to use it in next verify JWT policy

 

Sanket_kokne_2-1672840758731.png

 

 

Step 3 : Created VerifyJWT policy  and using public key retrieved from previous step in ref variable myjwks

verifyJWT2.PNG

 

 

So when we use  Configuration as mentioned below in above policy

<PublicKey>

        <Value ref="myjwks"/>

    </PublicKey>

We get error cannot instantiate public key as in below screenshot

 

Sanket_kokne_4-1672840758737.png

And using directlty JWKS as like this below

verifyJWT3.PNG

 

We get error : Invalid Key configuration : policy(Verify-JWT-1) element(PublicKey)

Sanket_kokne_6-1672840758742.png

Note : We are passing JWT Token from Postman in Authorization bearer Token.

Please let us know if above configuration is correct or needed any more details. 

Thank you!

0 4 276
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
pablosan
Staff
Reply posted on --/--/---- --:-- AM

Hi @Sanket_kokne ,

Please, avoid creating a new topic for the same issue. You already created one yesterday here, just reply to that one - that's the benefit of a forum like this. Keep the conversation on the same topic going forward please.

I see that you tried pointing the PublicKey to the JWKS as I suggested in your original post here. Per the error you're getting "Invalid Key configuration", it looks like your JWKS uri is either incorrect or the format is not valid. Can you please check if your JWKS uri is giving you a response in the format like below? Apigee must receive a valid JWKS similar to the below in order for it to work. Also, it's worth mentioning that the JWKS uri must be publicly accessible so Apigee can reach it. The JWK RFC sample for your reference is here.

{"keys":
       [
         {"kty":"EC",
          "crv":"P-256",
          "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
          "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
          "use":"enc",
          "kid":"1"},

         {"kty":"RSA",
          "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
     4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
     tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
     QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
     SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
     w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
          "e":"AQAB",
          "alg":"RS256",
          "kid":"2011-04-29"}
       ]
     }

 

0 Likes

Posted on --/--/---- --:-- AM
Sanket_kokne
Bronze 1
Bronze 1
In response to pablosan
Reply posted on --/--/---- --:-- AM

Hi @pablosan Thank you for quick response, here below is our JWKS URI response format

Same URI response working perfectly fine with our backend application.

{
"keys": [
{
"kid": "XXXXXXXXSdpK8MSrs39FDreBVnxmFne8qLo",
"use": "sig",
"kty": "RSA",
"e": "AQAB",
"n": "XXXXXXXMPslG1Tz6HkwYV6kS42zRGBkchePGcwT9He2iZ_DXvLyfW4amJ-lI7H3xUYGid-5PH4Mr5A9ekBi1ElYIwu-zsfSwwynoSyjXZFYYLP33TXMWltnOB9w6Ey8xKcqbzsAkD9pSWCihQ-tjfHkz7sRJ1e7gWnXgFsgTdw3dkRKm5ZznmdGK1Boyn8iPIob8nRJ_sclIrFrItwYWyIzF6gCoiQ7msOoacNi3IoHkSG58pkD5JnCVp1fw6nmQF3_Mx4bI1YFum8iLFSfAiVo3M4d7Xs1Xoa0ALpP3IsR6V5Hepk34hTWh4J7Uj-Q"
}
]
}

This is our policy as you suggested:

Sanket_kokne_0-1672903096104.png

 

JWKs uri is also publicly accessible, but still we are getting error as mentioned below:

Invalid Key configuration : policy(Verify-JWT-1) element(PublicKey)

Sanket_kokne_1-1672903348362.png

Please let us know if required to make any change.

Thank you!

 

0 Likes

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
In response to Sanket_kokne
Reply posted on --/--/---- --:-- AM

My opinion kindly understand the sequence of the flow involved with in JSON Web Key Set (JWKS) to verify a JWS/JWT as stated below link & follow thru..It is harder for me atleast to understand the url's and the values setup with in the proxy. If there is a way to talk/screen share will help troubleshoot but I bet some mis-configuration is causing issues. Other alternate is to test via sample java application to verify the behavior & mimic back the setup using apigee.

Ref:

This is the basic sequence that Edge (or any platform that works with JWKS) needs to perform to work with a JWS/JWT that has a JWKS:

  1. Examine the JWS/JWT header to find the Key ID (kid).
  2. Examine the JWS/JWT header to find the signing algorithm (alg), such as RS256.
  3. Retrieve the list of keys and IDs from the JWKS of the well-known endpoint for a given issuer.
  4. Extract the public key from the list of keys with the key ID noted in the JWS/JWT header and with the matching algorithm, if the JWKS key specifes the algorithm.
  5. Use that public key to verify the signature on the JWS/JWT.

 

 

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Are you sure your JWKS URI is correct?  Does it end with /v2.0/keys ?  Why do you include p=B2C_1A_SIGNUP_SIGNIN as a query parameter to your JWKS uri? I believe It should not be there. According to this documentation from Microsoft, The JWKS URI for Azure AD B2C should be something like this:

https://TENANT_NAME.b2clogin.com/TENANT_NAME.onmicrosoft.com/POLICY_NAME/discovery/v2.0/keys

...where TENANT_NAME is replaced by an appropriate value for you.

The older version of this might have been:

https://login.microsoftonline.com/TENANT_ID/discovery/v2.0/keys

...where TENANT_ID is a GUID.

If you have a custom Azure AD signin policy, then, you should use this:

https://TENANT_NAME.b2clogin.com/TENANT_NAME.onmicrosoft.com/POLICY_NAME/discovery/v2.0/keys

The older version of this is

https://login.microsoftonline.com/TENANT_NAME.onmicrosoft.com/discovery/v2.0/keys?p=POLICY_NAME

It may be that the URI is incorrect, which is why you see the runtime error you see. "Invalid Key Configuration" says that the policy cannot retrieve valid keys. There's a different error ("No matching public key") if the policy can retrieve keys from the URI, but does not find a match. 

0 Likes
Top Solution Authors
View all