Solved: Encrypting a payload in APIGEE Edge

vkarthik · 08-19-2022 01:18 PM

Hello Guys,

I have use case, where I am making a call to an external(outside of my organization) to fetch some data.

I have a JWKS endpoint from the external partner, which I want to use and encrypt the payload before making the call.

Is there any documentation or sample available to achieve this?

dchiesa1

I understand that you want to use a JWKS to retrieve a public key (maybe RSA?) to use as the encryption key, for encryption of a payload that you are sending externally. Is that right?

You didn't describe the kind of encryption you want to use, but ... if you want to use encrypted JWT, then the built-in GenerateJWT policy will do that for you. It will look like this:

<GenerateJWT name='JWT-Encrypt-Payload'>
  <Algorithms>
    <Key>RSA-OAEP-256</Key>
    <Content>A128GCM</Content>
  </Algorithms>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PublicKey>
    <JWKS>https://jwks-uri-here.com/jwks.json</JWKS>
    <Id ref='public_keyid'/>
  </PublicKey>
  <AdditionalClaims ref='claim_payload'/>
  <OutputVariable>output_variable</OutputVariable>
</GenerateJWT>

Some notes

Specify your actual JWKS endpoint in the JWKS element
You need to set the context variable public_keyid to the value of the kid of the key entry in the JWKS that you want to use. OR, you can hard-code the key ID value as the text value of the Id element.
The claim_payload should be a JSON string. It will be encrypted.
The result will be an encrypted JWT and will be placed into output_variable
the documentation for this capability has not yet been published. It's on my TO DO list right now.

There is no built-in policy that constructs a general JWE . In other words, if your payload is not JSON, then ... there is no built-in policy that will help you. There is a Java callout that will generate a JWE, using an RSA key, sourced from a JWKS. Find that callout here.

If you don't want to use encrypted JWT or JWE there is at least one other alternatives, using RSA keys for encryption. You can use this Java callout, combined with an AES callout.

View solution in original post

dchiesa1

I understand that you want to use a JWKS to retrieve a public key (maybe RSA?) to use as the encryption key, for encryption of a payload that you are sending externally. Is that right?

You didn't describe the kind of encryption you want to use, but ... if you want to use encrypted JWT, then the built-in GenerateJWT policy will do that for you. It will look like this:

<GenerateJWT name='JWT-Encrypt-Payload'>
  <Algorithms>
    <Key>RSA-OAEP-256</Key>
    <Content>A128GCM</Content>
  </Algorithms>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PublicKey>
    <JWKS>https://jwks-uri-here.com/jwks.json</JWKS>
    <Id ref='public_keyid'/>
  </PublicKey>
  <AdditionalClaims ref='claim_payload'/>
  <OutputVariable>output_variable</OutputVariable>
</GenerateJWT>

Some notes

Specify your actual JWKS endpoint in the JWKS element
You need to set the context variable public_keyid to the value of the kid of the key entry in the JWKS that you want to use. OR, you can hard-code the key ID value as the text value of the Id element.
The claim_payload should be a JSON string. It will be encrypted.
The result will be an encrypted JWT and will be placed into output_variable
the documentation for this capability has not yet been published. It's on my TO DO list right now.

There is no built-in policy that constructs a general JWE . In other words, if your payload is not JSON, then ... there is no built-in policy that will help you. There is a Java callout that will generate a JWE, using an RSA key, sourced from a JWKS. Find that callout here.

If you don't want to use encrypted JWT or JWE there is at least one other alternatives, using RSA keys for encryption. You can use this Java callout, combined with an AES callout.

dchiesa1

helpful? Not helpful?

vkarthik

Hi @dchiesa1 , I will be working on implementing this today. I will keep you posted