This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Error while using Generate JWT policy in Apigee by using ES256 algorithm

Posted on 02-12-2024 10:47 AM
satishkumar9
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

HI @dchiesa1  and others,

I am trying to generate a JWT token using Apigee Generate JWT policy with ES256 algorithm and getting the following error. Could you please help!!

jwt.Generate-JWT-1.error

cannot instantiate private key

Below is my JWT Generate Token Policy:

<xml version="1.0" encoding="UTF-8" standalone="yes">
<GenerateJWT name="JWT-Generate-Token">
<Algorithm>ES256</Algorithm>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<PrivateKey>
<Value ref="private.privatekey"/>
</PrivateKey>
<Subject/>
<Issuer>7aaaaaa-8bbbbb-6ccccccc</Issuer>
<Audience>test-v1</Audience>
<ExpiresIn>20m</ExpiresIn>
<Id/>
<AdditionalClaims>
<Claim name="alg">ES256</Claim>
<Claim name="kid">A12345</Claim>
<Claim name="typ">JWT</Claim>
</AdditionalClaims>
<OutputVariable>jwt-variable</OutputVariable>
</GenerateJWT>

here private.privatekey assigned message variable holds value as below:

'-----BEGIN PRIVATE KEY-----\nbbbbbbb\ncccccccccccccccccxxxxxxxxxx/\nxxxxxxxxxxxxx\nxxxxxx\n-----END PRIVATE KEY-----'

If I create python script with code as below, then it is generating the token as expected. Could you please suggest how to accomplish the same with APIGEE.

secret='-----BEGIN PRIVATE KEY-----\bbbbbbbbbbbbbbbbbbbbbb\ncccccccccccccccccxxxxxxxxxx/\nxxxxxxxxxxxxx\nxxxxxx\n-----END PRIVATE KEY-----'
token = jwt.encode({'iss': '7akkbd-8uidski-6jauehy',
'exp': expir,
'aud': 'test-v1'},
secret, algorithm='ES256',
headers={'alg': 'ES256', 'kid': 'A12345', 'typ': 'JWT'})

0 1 106
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes

In Python, the \n is a way to encode a newline. In Apigee, you cannot use that same convention. Just include the newline.

The variable in Apigee should contain something like

 

-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtUYiBBOdGFf3SoTp
X5F7jgAqC+UNPlsKAC54W6rDduChRANCAARCBsc92+4iYd0wGnqzK/zyvT431K+4
po4UqZd9BqrILnFEnogmLC0zDWT4oqwq5+PRJL2uiNvlDOyL1FG2sfy3
-----END PRIVATE KEY-----

IE, the \n should be replaced with actual newlines. 

How can you load a value that contains newlines into Apigee?    There are lots of options. 

  • use Google Cloud SecretManager
  • use a KeyValueMapOperations policy to retrieve from the Apigee KVM
  • use a propertyset
  • using AssignMessage

If you are using KVM, then you need to encode the value properly, when loading it administratively. 

In the AssignMessage case, you can do this: 

<AssignMessage name='AM-Private-Key'>
  <AssignVariable> 
    <!-- this is an EC key for curve P-256 -->
    <Name>private.privatekey</Name>
    <Value>
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtUYiBBOdGFf3SoTp
X5F7jgAqC+UNPlsKAC54W6rDduChRANCAARCBsc92+4iYd0wGnqzK/zyvT431K+4
po4UqZd9BqrILnFEnogmLC0zDWT4oqwq5+PRJL2uiNvlDOyL1FG2sfy3
-----END PRIVATE KEY-----
    </Value>
  </AssignVariable> 
</AssignMessage>

This is obviously not "private", because the key is hardcoded here in the policy. But it shows you the form of the key to use, and you could use this in testing or development.

 

Top Solution Authors
View all