HI @dchiesa1 and others,
I am trying to generate a JWT token using Apigee Generate JWT policy with ES256 algorithm and getting the following error. Could you please help!!
jwt.Generate-JWT-1.error
cannot instantiate private key |
Below is my JWT Generate Token Policy:
<xml version="1.0" encoding="UTF-8" standalone="yes">
<GenerateJWT name="JWT-Generate-Token">
<Algorithm>ES256</Algorithm>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<PrivateKey>
<Value ref="private.privatekey"/>
</PrivateKey>
<Subject/>
<Issuer>7aaaaaa-8bbbbb-6ccccccc</Issuer>
<Audience>test-v1</Audience>
<ExpiresIn>20m</ExpiresIn>
<Id/>
<AdditionalClaims>
<Claim name="alg">ES256</Claim>
<Claim name="kid">A12345</Claim>
<Claim name="typ">JWT</Claim>
</AdditionalClaims>
<OutputVariable>jwt-variable</OutputVariable>
</GenerateJWT>
here private.privatekey assigned message variable holds value as below:
'-----BEGIN PRIVATE KEY-----\nbbbbbbb\ncccccccccccccccccxxxxxxxxxx/\nxxxxxxxxxxxxx\nxxxxxx\n-----END PRIVATE KEY-----'
If I create python script with code as below, then it is generating the token as expected. Could you please suggest how to accomplish the same with APIGEE.
secret='-----BEGIN PRIVATE KEY-----\bbbbbbbbbbbbbbbbbbbbbb\ncccccccccccccccccxxxxxxxxxx/\nxxxxxxxxxxxxx\nxxxxxx\n-----END PRIVATE KEY-----'
token = jwt.encode({'iss': '7akkbd-8uidski-6jauehy',
'exp': expir,
'aud': 'test-v1'},
secret, algorithm='ES256',
headers={'alg': 'ES256', 'kid': 'A12345', 'typ': 'JWT'})
Yes
In Python, the \n is a way to encode a newline. In Apigee, you cannot use that same convention. Just include the newline.
The variable in Apigee should contain something like
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtUYiBBOdGFf3SoTp
X5F7jgAqC+UNPlsKAC54W6rDduChRANCAARCBsc92+4iYd0wGnqzK/zyvT431K+4
po4UqZd9BqrILnFEnogmLC0zDWT4oqwq5+PRJL2uiNvlDOyL1FG2sfy3
-----END PRIVATE KEY-----
IE, the \n should be replaced with actual newlines.
How can you load a value that contains newlines into Apigee? There are lots of options.
If you are using KVM, then you need to encode the value properly, when loading it administratively.
In the AssignMessage case, you can do this:
<AssignMessage name='AM-Private-Key'>
<AssignVariable>
<!-- this is an EC key for curve P-256 -->
<Name>private.privatekey</Name>
<Value>
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtUYiBBOdGFf3SoTp
X5F7jgAqC+UNPlsKAC54W6rDduChRANCAARCBsc92+4iYd0wGnqzK/zyvT431K+4
po4UqZd9BqrILnFEnogmLC0zDWT4oqwq5+PRJL2uiNvlDOyL1FG2sfy3
-----END PRIVATE KEY-----
</Value>
</AssignVariable>
</AssignMessage>
This is obviously not "private", because the key is hardcoded here in the policy. But it shows you the form of the key to use, and you could use this in testing or development.