Solved: How to populate algorithms dynamically in JWS Gene...

UmangSrivastava · 05-16-2023 05:00 AM

I would like to populate Algorithms dynamically in JWS Generate and JWS Verify policies in apigee edge based on a app attribute or any other variables .

So that I do not have to add different policies for different algorithms for supporting multiple clients use cases.

dchiesa1

You cannot do that. The designers believed that would present a security pitfall. One of the main security pitfalls around JWT is allowing the presenter of the JWT to specify the algorithm. We wanted to enforce that the policy configuration specified the algorithm, statically, to prevent this.

So you need to have two distinct policies for two distinct algorithms. The exception is ... if the different algorithms are all in the same family. So you can specify a comma separated list like: RS256,RS384. But you may not specify a mix, for example: HS256,RS256.

Good luck.

View solution in original post

dchiesa1

You cannot do that. The designers believed that would present a security pitfall. One of the main security pitfalls around JWT is allowing the presenter of the JWT to specify the algorithm. We wanted to enforce that the policy configuration specified the algorithm, statically, to prevent this.

So you need to have two distinct policies for two distinct algorithms. The exception is ... if the different algorithms are all in the same family. So you can specify a comma separated list like: RS256,RS384. But you may not specify a mix, for example: HS256,RS256.

Good luck.

How to populate algorithms dynamically in JWS Generate and JWS Verify policies.