This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Integrating Apigee proxy URL to validate JWT from Azure AD

Posted on 01-03-2023 02:24 AM
Sanket_kokne
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Team,

We are using Azure AD to authenticate user in our back end Application by JWT token, same functionality we want to implement using Apigee proxy URL to access our back end application using Azure AD JWT token but we are getting following error "Invalid serialized JWE object: Missing fourth delimiter"

Pease see below screenshot :

Below is our policy configuration

Sanket_kokne_0-1672739950588.png

Step 1: First policy is to fetch the key details from public faced URL (Azure AD):

Sanket_kokne_1-1672740125836.png

Step 2 : In second policy we are caching response from the step 1.

Sanket_kokne_2-1672740351731.png

Step 3: In Third policy we are performing the cache lookup operation

Sanket_kokne_3-1672740467277.png

Step 4: In fourth policy we are removing the keyword "Bearer" from client request header and retaining the JWT token.

Sanket_kokne_4-1672740627206.png

Step 5 : In fifth policy  we are trying to verify the token with the cache public key from step 3.

Sanket_kokne_6-1672741195676.png

Now we are using postman to hit proxy URL and using JWT token generated by our Azure AD.

This is our response :

{
    "fault": {
        "faultstring""Invalid token: policy(Verify-JWT-1)",
        "detail": {
            "errorcode""steps.jwt.InvalidToken"
        }
    }
}
 
Please help us to know if any configuration changes required in our policy or any more details needed.
Thank you !

 

 

 

 

 

 

 

0 1 296
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
pablosan
Staff
Reply posted on --/--/---- --:-- AM

Have you considered using the PublicKey/JWKS element of the VerifyJWT policy? It will retrieve and cache (300 secs) the JWKS from a public URI for you. Also, when validating a JWT, Apigee will by default, retrieve the JWT from the Authorization header - including stripping the Bearer prefix. 

I'm thinking you could replace your current flow policies with a single VerifyJWT policy. For example, the below VerifyJWT policy will validate a JWT from Google Identity using its public JWKS:

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT name="JWT-Verify-RS256">
    <Algorithm>RS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <PublicKey>
        <JWKS uri="https://www.googleapis.com/oauth2/v3/certs"/>
    </PublicKey>
    <Subject>some-subject</Subject>
    <Issuer>https://accounts.google.com</Issuer>
    <Audience>some-audience</Audience>
</VerifyJWT>

 

0 Likes
Top Solution Authors
View all