Facing issue with generate JWT while generating JW...

priya_Edupalli · 06-29-2021 02:44 AM

I am getting error like the below while generating JWT Token

{
    "fault": {
        "faultstring": "Failed to Resolve Variable : policy(JWT-Generate-RS256) variable(private.privatekey)",
        "detail": {
            "errorcode": "steps.jwt.FailedToResolveVariableException"
        }
    }
}

I have stored the private key in encrypted KVM and have configured the following policy to read the KVM

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyValueMapOperations name="KVW-GetPrivateSecureConfig" mapIdentifier="secrets">
    <Scope>environment</Scope>
    <ExpiryTimeInSecs>15</ExpiryTimeInSecs>
    <Get assignTo="private.privatekey">
        <Key>
            <Parameter>private.privatekey</Parameter>
        </Key>
    </Get>
</KeyValueMapOperations>

JWT Policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateJWT name="JWT-Generate-RS256">
    <Algorithm>RS256</Algorithm>
    <PrivateKey>
        <Value ref="private.privatekey"/>
        <Id>unique-identifier-for-privatekey-here</Id>
    </PrivateKey>
    <Subject>subject-subject</Subject>
    <Issuer>urn://apigee-edge-JWT-policy</Issuer>
    <Audience>urn://c60511c0-12a2-473c-80fd-42528eb65a6a</Audience>
    <ExpiresIn>60m</ExpiresIn>   
    <OutputVariable>output-jwt</OutputVariable>
</GenerateJWT>

Kindly help me!!

Denis_KALITVI

Failed to Resolve Variable : policy(JWT-Generate-RS256) variable(private.privatekey)

this is the main problem. jwt policy can't find any variable named private.privatekey > if you look in the trace you wont be able to see it also I think.

I guess your problem here in the KVM policy:

        <Key>
            <Parameter>private.privatekey</Parameter>
        </Key>

here you need to give actual name of the key in the KVM. does your key name in KVM also have .private prefix? if not, remove it and provide exact name of the key value name. I think you meant only "privatekey" in the <Key> array

priya_Edupalli

Hello Denis_Kalitvi,

Thank's for your response.

I updated the KVM Policy like what you suggested But still am getting the same error as above

<KeyValueMapOperations  name="Key-Value-Map-Operations-1" mapIdentifier="JWT">
  <DisplayName>Key Value Map Operations-1</DisplayName>
  <ExclusiveCache>false</ExclusiveCache>
  <ExpiryTimeInSecs>300</ExpiryTimeInSecs>
  <Get assignTo="private.my_private_key" index="1">
    <Key>
      <Parameter ref="privatekey"/>
    </Key>
  </Get>
  <Get assignTo="private.key-password" index="2">
    <Key>
      <Parameter ref="privatePWD"/>
    </Key>
  </Get>
  <Scope>environment</Scope>
</KeyValueMapOperations>

Denis_KALITVI

This is strange,

you have more than one index under your KVM and different params?

Can you confirm you having these KVM :

Name: JWT

and inside it you have two entry-keys:

- privatekey

- privatePWD (and in this one you have more than one entry? Why you using index 1)

Can you maybe screenshot the KVM keys for these two? (not the values, be careful)

I think you just not retrieving the values from KVM - something not right here with the references to the key part.

API-Evangelist

Try below.

1. Remove index in both Get

2.Sometimes the privatekey or password could be reserved words (didn't test) but possible use a better name and retry.

dchiesa1

Are you sure you need those index="1" and index="2" attributes on the Get elements?

I think maybe try removing them. Usually you don't want or need those things. Those apply if and only if, you've stored more than one value against the key (like privatekey or privatePWD) in the KVM. You can do this by specifying a comma-separated list. Eg value1, value1,value3.

In that case, using Get with index="1" would return value1, with index="3" you would get value3. But normally people don't do this with their KVMs. So perhaps you need to remove that entirely.

davidwallen

I find in these scenarios that it is useful to drop the "private." prefix temporarily so that I can observe if assignments are getting made appropriately in trace. If you go that route first be sure to populate KVM with temporary dummy values - say "my-test-pwd-123" or similar. You can then flip the prefix back on once you are certain you are extracting values from KVM.

dchiesa1

Please note: this is helpful, and works well, as long as you are not using Apigee X or hybrid. In Apigee X & hybrid, all the KVM are encrypted, so if you drop the private. prefix, you will get nothing loaded into your variables.

In those cases you can use an AssignMessage / AssignVariable for the same purpose. Just attach the policy immediately following the KVM policy. Something like this:

<AssignMessage name="AM-Diagnostics"> 
  <AssignVariable>
    <Name>observed1</Name>
    <Ref>private.variable-presumably-set-by-kvm-get</Ref>
  </AssignVariable>
  <AssignVariable>
    <Name>observed2</Name>
    <Ref>private.another-private-variable</Ref>
  </AssignVariable>
  
</AssignMessage>

Facing issue with generate JWT while generating JWT token