This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

JWT Validation - Is it possible to refer to the Apigee TLS Keystore to obtain the public key?

Posted on 02-10-2023 12:36 PM
chrisyanez
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

We are working on implementing JWT validation for RS256 alg in Apigee. Is it possible for us to obtain the public key from the TLS keystore from the Apigee proxy? 

There are many examples of using the KVM which is absolutely feasible--but we were wondering about the possibility of using the TLS Keystore so we can monitor expiration dates and such for rotations in the future.

0 2 113
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dknezic
Staff
Reply posted on --/--/---- --:-- AM

Might be possible via a call through the Management API, however note this is considered an anti-pattern and the Management API don't have any response SLA.

0 Likes

Posted on --/--/---- --:-- AM
gonzalezruben
Staff
Reply posted on --/--/---- --:-- AM

Public keys used to verify JWT should be stored in JWK sets. This way you can rotate keys without impacting tokens that haven't expired and that were issued with older key IDs. Key revocation is another use case where a JWK set will become handy by having readily available certs for validation while others get revoked. For more information about these and other reasons, please review the RFC 7517 spec. Here is a solution that will help with key rotation and storage of JWK sets in a KVM. If you want to track expiration, then you can log key metadata (expiration - current date) and set log-based metrics and alerts to rotate keys in time.

0 Likes
Top Solution Authors
View all