LinkedIn
Twitter
Hi google ,
@dchiesa1
I am retrieving JWT from azure b2c .
I can get a public key from azure and verify the signature in jwt.io using the public key .
However , if I use Verify JWT Policy in apigee it is failing with Invalid token: policy(Verify-JWT-Azure-B2C) and error.class com.apigee.steps.jwt.verify.VerificationException.
Assign message policy content from proxy setting the Public Key :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AM-JWKS">
<DisplayName>AM-JWKS</DisplayName>
<Properties/>
<AssignVariable>
<Name>azure.publickey</Name>
<Value>-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtVKUtcx/n9rt5afY/2WF
NvU6PlFMggCatsZ3l4RjKxH0jgdLq6CScb0P3ZGXYbPzXvmmLiWZizpb+h0qup5j
znOvOr+Dhw9908584BSgC83YacjWNqEK3urxhyE2jWjwRm2N95WGgb5mzE5XmZIv
kvyXnn7X8dvgFPF5QwIngGsDG8LyHuJWlaDhr/EPLMW4wHvH0zZCuRMARIJmmqiM
y3VD4ftq4nS5s8vJL0pVSrkuNojtokp84AtkADCDU/BUhrc2sIgfnvZ03koCQRoZ
mWiHu86SuJZYkDFstVTVSR0hiXudFlfQ2rOhPlpObmku68lXw+7V+P7jwrQRFfQV
XwIDAQAB
-----END PUBLIC KEY-----</Value>
</AssignVariable>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
Verify Jwt Policy content :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT-Azure-B2C">
<DisplayName>Verify JWT-Azure-B2C</DisplayName>
<Algorithm>RS256</Algorithm>
<Source>id_token</Source>
<PublicKey>
<Value ref="azure.publickey"/>
</PublicKey>
</VerifyJWT>
id_token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsifQ.eyJleHAiOjE2MzY2NDc1NTAsIm5iZiI6MTYzNjY0Mzk1MCwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6Ly9zaXRhc3BtLmIyY2xvZ2luLmNvbS9kMDE1OTQ4Ni04YmFkLTQzNzMtOGFjNi04YTdjMDgwYzI0ODgvdjIuMC8iLCJzdWIiOiI5MTdiYWNjYS03ZjllLTQzNTYtYTRhZS1iM2RlMDZlODNkNmMiLCJhdWQiOiIzMWU2MjQxZS00YjYxLTRmZjYtODZlYy05NzRjNjliMWE5NzQiLCJpYXQiOjE2MzY2NDM5NTAsImF1dGhfdGltZSI6MTYzNjY0Mzk1MCwiaWRwIjoiTG9jYWxBY2NvdW50Iiwib2lkIjoiOTE3YmFjY2EtN2Y5ZS00MzU2LWE0YWUtYjNkZTA2ZTgzZDZjIiwibmFtZSI6IkIyLWJiMmFjY291bnQ3NTdAdGVzdC5jb20iLCJqb2JUaXRsZSI6IlBBWCIsImV4dGVuc2lvbl9zcG1Vc2VySWQiOiI2MThiZmRjYTA3NTU3ZDA3ODdhYzZjODUiLCJlbWFpbHMiOlsiQjItYmIyYWNjb3VudDc1N0B0ZXN0LmNvbSJdLCJ0ZnAiOiJCMkNfMV9ST1BDX0F1dGgiLCJhdF9oYXNoIjoiZGVLT3NwWEliWHV1UFZ4ak9ZYW9BUSJ9.pcbt3BW4debZ57MJ0mbITI4vmHvRsSSe9FOnAnjGF1x_E2eP1fexL2ITjxyBHsNc-Dc9wBY51oFA6a5HsaezCblO6MNPCBwBxR0eOBe_OjPOMgh50AUqln1xYAIRC-Dwe72Ob46vnYmwNeXxe0tLaRuiCj0hNjY_QQ7PiTfh29LhKdV36FAar34b_OeJ6SVMwitlkDTheSmhxCt722V16CN7VKmMS1AB6ah_c1P7kSR-DQUVgDuDncNs6cTl2cc5eIpCnFLKuOvT22HskbRlj0zX0yxXaobROEW-aQ0fkbS0wfBcDgjeihSLvsUuCjETtoMq2rbtP8hQFijgCLkMtQ"
Can you please help debug the issue .
Solved
1 ACCEPTED SOLUTION
That's strange. It works for me.
This is the policy I used to set up variables:
<AssignMessage name='AM-AssignVariables'>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<AssignVariable>
<Name>azure.publickey</Name>
<Value>-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtVKUtcx/n9rt5afY/2WF
NvU6PlFMggCatsZ3l4RjKxH0jgdLq6CScb0P3ZGXYbPzXvmmLiWZizpb+h0qup5j
znOvOr+Dhw9908584BSgC83YacjWNqEK3urxhyE2jWjwRm2N95WGgb5mzE5XmZIv
kvyXnn7X8dvgFPF5QwIngGsDG8LyHuJWlaDhr/EPLMW4wHvH0zZCuRMARIJmmqiM
y3VD4ftq4nS5s8vJL0pVSrkuNojtokp84AtkADCDU/BUhrc2sIgfnvZ03koCQRoZ
mWiHu86SuJZYkDFstVTVSR0hiXudFlfQ2rOhPlpObmku68lXw+7V+P7jwrQRFfQV
XwIDAQAB
-----END PUBLIC KEY-----</Value>
</AssignVariable>
<AssignVariable>
<Name>id_token</Name>
<Value>eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrNHh5b2pORnVtMWtsMll0djhkbE5QNC1jNTdkTzZRR1RWQndhTmsifQ.eyJleHAiOjE2MzY2NDc1NTAsIm5iZiI6MTYzNjY0Mzk1MCwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6Ly9zaXRhc3BtLmIyY2xvZ2luLmNvbS9kMDE1OTQ4Ni04YmFkLTQzNzMtOGFjNi04YTdjMDgwYzI0ODgvdjIuMC8iLCJzdWIiOiI5MTdiYWNjYS03ZjllLTQzNTYtYTRhZS1iM2RlMDZlODNkNmMiLCJhdWQiOiIzMWU2MjQxZS00YjYxLTRmZjYtODZlYy05NzRjNjliMWE5NzQiLCJpYXQiOjE2MzY2NDM5NTAsImF1dGhfdGltZSI6MTYzNjY0Mzk1MCwiaWRwIjoiTG9jYWxBY2NvdW50Iiwib2lkIjoiOTE3YmFjY2EtN2Y5ZS00MzU2LWE0YWUtYjNkZTA2ZTgzZDZjIiwibmFtZSI6IkIyLWJiMmFjY291bnQ3NTdAdGVzdC5jb20iLCJqb2JUaXRsZSI6IlBBWCIsImV4dGVuc2lvbl9zcG1Vc2VySWQiOiI2MThiZmRjYTA3NTU3ZDA3ODdhYzZjODUiLCJlbWFpbHMiOlsiQjItYmIyYWNjb3VudDc1N0B0ZXN0LmNvbSJdLCJ0ZnAiOiJCMkNfMV9ST1BDX0F1dGgiLCJhdF9oYXNoIjoiZGVLT3NwWEliWHV1UFZ4ak9ZYW9BUSJ9.pcbt3BW4debZ57MJ0mbITI4vmHvRsSSe9FOnAnjGF1x_E2eP1fexL2ITjxyBHsNc-Dc9wBY51oFA6a5HsaezCblO6MNPCBwBxR0eOBe_OjPOMgh50AUqln1xYAIRC-Dwe72Ob46vnYmwNeXxe0tLaRuiCj0hNjY_QQ7PiTfh29LhKdV36FAar34b_OeJ6SVMwitlkDTheSmhxCt722V16CN7VKmMS1AB6ah_c1P7kSR-DQUVgDuDncNs6cTl2cc5eIpCnFLKuOvT22HskbRlj0zX0yxXaobROEW-aQ0fkbS0wfBcDgjeihSLvsUuCjETtoMq2rbtP8hQFijgCLkMtQ</Value>
</AssignVariable>
</AssignMessage>
I used the same values you showed in your message above. And this is the policy I used to verify the JWT:
<VerifyJWT name='VerifyJWT-Azure-B2C'>
<Algorithm>RS256</Algorithm>
<Source>id_token</Source>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<PublicKey>
<Value ref='azure.publickey'/>
</PublicKey>
<TimeAllowance>86400s</TimeAllowance>
</VerifyJWT>
You'll see I added a TimeAllowance element there. That's to get the VerifyJWT to not throw because the JWT is expired. It says "treat it as not expired, up to 86400 seconds after actual expiry". That's one full day. You shouldn't use that kind of setting in a production system, because it basically ignores expiry. But it's useful for demonstrations, development, and diagnosis. A reasonable timeallowance in a production system might be 10-30 seconds or so.
Attached please find the API proxy I used to test this out. Deploy it and invoke with curl -i $endpoint/azure-b2c-jwt/t1
I suspect you don't have your variables set just as you think. If the id_token has a Bearer prefix, then it won't work. If the id_token variable is not set, then VerifyJWT will throw a fault. In any case of VerifyJWT throwing a fault, You can find the error message in the trace. Look for the variable with suffix ".error" .
Good luck!
