Hello Guys,
I have use case, where I am making a call to an external(outside of my organization) to fetch some data.
I have a JWKS endpoint from the external partner, which I want to use and encrypt the payload before making the call.
Is there any documentation or sample available to achieve this?
Solved! Go to Solution.
I understand that you want to use a JWKS to retrieve a public key (maybe RSA?) to use as the encryption key, for encryption of a payload that you are sending externally. Is that right?
You didn't describe the kind of encryption you want to use, but ... if you want to use encrypted JWT, then the built-in GenerateJWT policy will do that for you. It will look like this:
<GenerateJWT name='JWT-Encrypt-Payload'>
<Algorithms>
<Key>RSA-OAEP-256</Key>
<Content>A128GCM</Content>
</Algorithms>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<PublicKey>
<JWKS>https://jwks-uri-here.com/jwks.json</JWKS>
<Id ref='public_keyid'/>
</PublicKey>
<AdditionalClaims ref='claim_payload'/>
<OutputVariable>output_variable</OutputVariable>
</GenerateJWT>
Some notes
There is no built-in policy that constructs a general JWE . In other words, if your payload is not JSON, then ... there is no built-in policy that will help you. There is a Java callout that will generate a JWE, using an RSA key, sourced from a JWKS. Find that callout here.
If you don't want to use encrypted JWT or JWE there is at least one other alternatives, using RSA keys for encryption. You can use this Java callout, combined with an AES callout.
I understand that you want to use a JWKS to retrieve a public key (maybe RSA?) to use as the encryption key, for encryption of a payload that you are sending externally. Is that right?
You didn't describe the kind of encryption you want to use, but ... if you want to use encrypted JWT, then the built-in GenerateJWT policy will do that for you. It will look like this:
<GenerateJWT name='JWT-Encrypt-Payload'>
<Algorithms>
<Key>RSA-OAEP-256</Key>
<Content>A128GCM</Content>
</Algorithms>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<PublicKey>
<JWKS>https://jwks-uri-here.com/jwks.json</JWKS>
<Id ref='public_keyid'/>
</PublicKey>
<AdditionalClaims ref='claim_payload'/>
<OutputVariable>output_variable</OutputVariable>
</GenerateJWT>
Some notes
There is no built-in policy that constructs a general JWE . In other words, if your payload is not JSON, then ... there is no built-in policy that will help you. There is a Java callout that will generate a JWE, using an RSA key, sourced from a JWKS. Find that callout here.
If you don't want to use encrypted JWT or JWE there is at least one other alternatives, using RSA keys for encryption. You can use this Java callout, combined with an AES callout.
helpful? Not helpful?
Hi @dchiesa1 , I will be working on implementing this today. I will keep you posted