Solved: OneLogin Token Verification in Apigee

abhijithsh · 05-20-2022 06:33 AM

I want to verify a JWT generated by Onelogin inside Apigee. What are the possible ways to do this. I am a little confused here. Does any existing security policies help in this regard ?

dchiesa1

This documentation page describes how to use the OneLogon token introspection Endpoint. You must send a POST call with a particular payload. The example given there uses nodejs; you can make outbound http calls from Apigee using a ServiceCallout policy. I will leave the “translation” of the nodejs code to ServiceCallout policy configuration , to you.

on that same doc page it states:

Note that decoding a JWT via the introspection as we’ve done here is convenient, but not very efficient. In a backend web API, we wouldn’t want to call our OneLogin OIDC app’s introspection endpoint on every call our API receives. Instead, we could use a JWT library that loads and caches our OIDC app’s JSON Web Key Set (JWKS) uses it to verify the token’s authenticity, and then base64-decodes it so we can validate its fields.

which is why I suggested that you use the VerifyJWT policy, which caches the JWKS just as the OneLogin documentation page suggests.

ps; I don’t know the SH256 algorithm. I don’t think OneLogin uses an algorithm by that name to sign their JWT.

View solution in original post

API-Evangelist

Yes.Just go thru https://docs.apigee.com/api-platform/reference/policies/verify-jwt-policy & it should help you configure validate JWT policy

abhijithsh

I had seen this one. However, I cant store the private key here which actually is against the whole point of using onelogin to generate the token.

API-Evangelist

Looks there is a mis-understanding..You are validating & not generating token.

There are different algorithms HS256 (via shared key) & RS256/ES256/PS256 etc which uses pub/private keys(during generating you will need pvt key & during validation you will need public key).

If you want to learn little details either learn online (basics about how jwt works ) & you can also read up https://datatracker.ietf.org/doc/html/rfc7519 on the spec which will really give good insights on how jwt works..

Wish there is a call button to speak to you to clarify 🙂 instead open a support ticket & discuss if you need simple guidance.
https://docs.apigee.com/api-platform/reference/policies/verify-jwt-policy#verify-a-jwt-signed-with-t...

https://www.youtube.com/watch?v=YTxiBpOKST0

In the beginning there will learning curve if you aren't familiar but once you understand it is easy to implement. (may be opportunity of enrolling course https://www.coursera.org/search?query=apigee )

Good luck.

dchiesa1

I am a little confused here. Does any existing security policies help in this regard ?

Why are you confused? Did you search and find the "VerifyJWT" policy? And then....? I'm genuinely curious. When I am confronting a problem, I start with a search. If I were in your shoes I would probably search for "verify JWT onelogin apigee". The first link points to the VerifyJWT policy for Apigee, which.... is a builtin policy in Apigee that can verify a signed JWT. OK that's a good start. A little reading on that page, and I learn that the policy can refer to a JWKS endpoint to get verification keys. Searching for "onelogin JWKS" I see that the JWKS endpoint for onelogin is https://{subdomain}.onelogin.com/oidc/2/certs.

So all of this looks pretty straightforward. What part was confusing? In case you think I am asking a rhetorical question, that is not the case. It's a real question. I would like to understand where the obstacle is. Do you have any insight?

abhijithsh

I will give you more details so that no assumptions need to be made. So we have a SH256 signed token from Onelogin. What I learned is that the options to verify the token is either

1. Have the private key in apigee and verify using JWT policy.

2. Make a service callout to Onelogin introspection api.

I would like to go for the second option. This question was raised because of a wrong information that the OAuth2.0 can be used to verify the Onelogin token.

I believe your answer is regarding RSA based JWT for which we can use the JWKS endpoint to get the verification keys.

dchiesa1

This documentation page describes how to use the OneLogon token introspection Endpoint. You must send a POST call with a particular payload. The example given there uses nodejs; you can make outbound http calls from Apigee using a ServiceCallout policy. I will leave the “translation” of the nodejs code to ServiceCallout policy configuration , to you.

on that same doc page it states:

Note that decoding a JWT via the introspection as we’ve done here is convenient, but not very efficient. In a backend web API, we wouldn’t want to call our OneLogin OIDC app’s introspection endpoint on every call our API receives. Instead, we could use a JWT library that loads and caches our OIDC app’s JSON Web Key Set (JWKS) uses it to verify the token’s authenticity, and then base64-decodes it so we can validate its fields.

which is why I suggested that you use the VerifyJWT policy, which caches the JWKS just as the OneLogin documentation page suggests.

ps; I don’t know the SH256 algorithm. I don’t think OneLogin uses an algorithm by that name to sign their JWT.