Re: In Apigee Verify JWT with multiple Algorithms

bhatnagarm · 05-17-2023 11:15 PM

I have currently setup different algorithms for my Auth Code Flow token and my Client Credentials token. The Setup I did to verify this in Apigee is

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify_JWT">
    <DisplayName>Verify_JWT</DisplayName>
    <FaultRules/>
    <Properties/>
    <Algorithm>RS512,PS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <Issuer>https://auth.example.com</Issuer>
    <PublicKey>
        <JWKS uri="https://auth.example.com/pf/JWKS"/>
    </PublicKey>
    <Source>inbound.jwt</Source>
</VerifyJWT>

It is sometimes working well for a client credential flow (using RS512) but sometimes it fails with invalid token. According to my understanding of the documentation a token should be validated against both these algorithms. Is that an incorrect assumption? What is the best way to make it validate against both ?

login

@bhatnagarm

Create multiple VerifyJWT policies: Create a separate VerifyJWT policy for each algorithm you want to validate. For example, you can create two policies: VerifyJWT_RS512 and VerifyJWT_PS256.
Configure the VerifyJWT policies: In each VerifyJWT policy, specify the corresponding algorithm you want to validate. For example, in VerifyJWT_RS512, set the algorithm to "RS512," and in VerifyJWT_PS256, set the algorithm to "PS256."
Include the VerifyJWT policies in the API flow: In your API proxy flow, include the VerifyJWT policies in the appropriate steps to validate the token. For example, you can include VerifyJWT_RS512 before VerifyJWT_PS256 to first validate against RS512 and then against PS256.
Handle the validation results: Depending on your requirements, you can choose to proceed with the request if any of the VerifyJWT policies succeed, or you can enforce that all the VerifyJWT policies must succeed for the token to be considered valid.