Re: Generating JWS with additional Header Failing

dpatty · 06-29-2022 08:15 AM

Hi , We have to generate JWS token with detached content and few additional headers . Here what I am trying to generate it but getting runtime error .

{
"b64":false,
"crit":[
"b64"
],
"iat":system.timestamp,
"alg":"RS256"
}

Added these in additional header section of GenerateJWS Policy

<AdditionalHeaders>
<Claim name="kid" ref="kid"/>
<Claim name="b64" type="boolean">false</Claim>
<Claim name="iat" ref='headersval'/>
</AdditionalHeaders>

There are 2 issues when adding iat, b64 Claims under <AdditionalHeaders>

iat Claim: Apigee not allowing to save the proxy if iat Claim added
b64 Claim: Getting the below error during runtime

"fault": {

"faultstring": "Invalid Value for element : policy(GJWS-CreateSignature) element()",

"detail": {

"errorcode": "steps.jws.InvalidValueForElement"

}

Best Regards,

Patty

dchiesa1

The b64 header is a "registered" header as described in IETF RFC 7797.

Unfortunately, today the GenerateJWS policy within Apigee does not support the generation of JWS with payloads that are not base64url encoded.

There is an outstanding Feature Request (internal ref b/158204922) asking for this capability. If this is important to you, you can connect with your account team to ask for prioritization of delivery of this feature.

A potential workaround is to build your own Java Callout that generates JWS with support for RFC 7797. If you give me some specific details I can try to help out here. I recognize the utility in being able to generate JWS without base64url encoding the payload. One question - are you also expecting to use a detached payload?

dpatty

Hi Dino ,

Thank you for the quick response .

We have to generate the JWS token with detached payload and JWT headers should have below elements .

{
"b64":false,
"crit":[
"b64"
],
"iat":system.timestamp,
"alg":"RS256"
}

Best Regards,

Patty

dchiesa1

Maybe this will work for you: https://github.com/DinoChiesa/Apigee-Java-JWS

dpatty

Hi Dino ,

Thank you for the java call out utility . I uploaded the sample proxy in apigee public saas account and it is working perfectly . However in Hybrid it is giving class initialization error .

"Could not initialize class net.minidev.json.parser.JSONParser "

Verified in decompiler all the required classes are there .

Best Regards,

Patty

dchiesa1

Hmmm interesting.

Well you DO need to include the dependencies in the proxy that uses that callout. The full list of jars is:

nimbus-jose-jwt-8.22.jar
json-smart-2.4.7.jar
caffeine-2.9.0.jar
asm-9.1.jar
accessors-smart-2.4.7.jar
apigee-callout-jws-20220630.jar

Do you have all of those?

dpatty

Yes I have included these jars in api proxy . Actually same proxy bundle uploaded to saas and Hybrid .

Best Regards,Patty

dchiesa1

Hmm I don't have a good answer for that. Since it's hybrid you have access to the MP logs. Can you look there to see if there is an exception thrown that indicates the cause of the class initialization error? There should be a clear statement there.

API-Evangelist

@dpatty :

This looks like more of the class loading issue. Since you are close to the environment please do below and gather more information.

https://docs.apigee.com/private-cloud/v4.18.05/enabling-debug-logging

1. To Create a debug session on Message processor

curl -v -X POST "http://localhost:8082/v1/logsessions?session=test"

review the logs (/opt/apigee/var/log/edge-message-processor/logs)for more information.

Mostly it is more of simple class loading issue.

Other ways is to re-cycle the message processor and review...

2. Don't forget to disable once the debugging is done..

curl -v -X DELETE "http://localhost:8082/v1/logsessions/test"

API-Evangelist

General question.

Can you please add little context/ information as what specific requirement you are trying to address? Reason for the ask is if it is part of UK PSD2 requirement? https://openbankinguk.github.io/read-write-api-site3/v3.1.2/profiles/read-write-data-api-profile.htm...

RFC spec:

https://datatracker.ietf.org/doc/html/rfc7515#appendix-F