Re: How to create a signed JWT in Apigee?

sidheshwarc · 10-06-2022 09:28 AM

Please help me in generating a signed JWT token in APIGEE.
If this has to be done with the help of a private key, then how shall I create a private key and use it to generate a signed JWT token.

miguelmendoza

@sidheshwarc

The Apigee X doc explains how to do this over at:

https://cloud.google.com/apigee/docs/api-platform/reference/policies/generate-jwt-policy#generate-a-...

If you are going to use one of the RSXXX algorithms, to sign the JWT, you can generate an RSA Private/Public key pair using openssl like this:

openssl genrsa -out private-key.pem

The openssl command has options for specifying the key size, and also for encrypting the PEM output so that anyone wanting to use the private key (e.g. Apigee) would need a password to decrypt it first.

Ideally, you take the PEM encoded key, and store it in an encrypted KVM in Apigee. Then, you can use the KVM policy to load the private key into a private flow variable, which you can then refer to when when generating the signed JWT.

Now, this is only half of the story. If you want anyone to be able to verify your signed JWTs, you will to provide them the public key associated with your private key.

You can extract the public key with openssl:

openssl rsa -in private-key.pem  -pubout > public-key.pem

Also, the general mechanism for publishing public keys (for the purpose of verifying signed JWTs) is to format them as JWKs. There are various online tools, you can use that make it easy to generate a JWK from a public key (e.g. https://russelldavies.github.io/jwk-creator/) . Once you have the JWK, you can publish it to consumers of your JWTs through Apigee as well.

sidheshwarc

@miguelmendoza

Thanks for your reply.
But I had one more doubt, can we generate a certificate and directly attach that certificate as a reference in the "GenerateJWTPolicy" if so please send a sample policy of it. And once we have generated a signed JWT using that certificate how to verify the generated signed JWT token ?
Waiting for your reply!!!

dchiesa1

can we generate a certificate and

You can generate a certificate, yes. There's a different openssl command to produce a cert.

can we...directly attach that certificate as a reference in the "GenerateJWTPolicy"

What do you mean by "attach as reference", specifically? There is a standard way to specify the full cert in the header of the JWT: in the x5c claim. Is that what you want to do? That's not a "reference" to the cert, but is the actual cert. If that is what you want, then yes, you can attach that by specifying AdditionalHeaders and a claim there:

<GenerateJWT name='gjwt-with-x5c'>
  <Algorithm>RS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PrivateKey>
    <Value ref='private.keypem'/>
  </PrivateKey>
  <Issuer>urn://whatever-you-like</Issuer>
  <ExpiresIn>30m</ExpiresIn>
  <AdditionalHeaders>
    <Claim name="x5c" ref="private.publiccert"/>
  </AdditionalHeaders>
  <OutputVariable>jwt-1</OutputVariable>
</GenerateJWT>

In this case it is your responsibility to insure that the private key and the cert are a matching pair. The policy does not do that for you.

You can also specify an x5t#256 claim, which is a thumbprint. That is more of a "reference" to the cert, as compared to directly embedding the cert into the JWT. Add this in the same way you would add the "x5c" claim, with an AdditionalHeaders element, as shown in the example above. You would be responsible for calculating the thumbprint. (Again you can use openssl for this)

You can also "refer" to the cert / public key indirectly, via a jwk or x5u field in the JWT header, along with a kid field. And again, you can add these with the appropriate AdditionalHeaders configuration.

sidheshwarc

Thanks for you quick support @dchiesa1
1) I have already generated a certificate, so what I am looking for is that can I use that generated certificate only in the policies to generate a signed JWT as well as verify the generated signed JWT. If yes, please could you send sample policies for both generate and validate signed JWT as a reply to above query.
2) One more thing is, I see you using ref="private.publiccert" in the above sample policy. Where are you actually configuring that "publiccert", is it a flow variable and what it is pointing to?

dchiesa1

What I am looking for is that can I use that generated certificate only in the policies to generate a signed JWT as well as verify the generated signed JWT.

A certificate is a signed public key with some other metadata - not-before date, expiry date, the names of the subject and issuer (signer). You can use a certificate, really the public key within the certificate, to VERIFY a signed JWT. You cannot use a certificate to SIGN a signed JWT. To create a signed JWT, you need a private key. That's not included in the certificate, and it's not derivable from a certificate.

In summary:

Use a private key to sign a JWT
Use a public key (or a cert, which wraps a public key) to verify a JWT

Where are you actually configuring that "publiccert", is it a flow variable and what it is pointing to?

It's a flow variable and it holds a PEM-encoded cert, which looks something like this:

And you are responsible for loading your own encoded cert into a flow variable so that your policy can reference it.