Re: Verifying multiple JWT Token audience

abhijithsh · 11-01-2022 11:28 AM

I have a requirement where JWT token has to be verified. But the proxy will receive two different tokens and they have different audience. Let the values be "audience1" and "audience2".

I referred this answer for a similar issue: https://www.googlecloudcommunity.com/gc/Apigee/Verify-JWT-Audience-and-Scopes-with-3rd-Party-JWKS/m-...

Issue I am facing is that, I am not able to insert a reference value inside the regular expression. Is it possible to do this in Apigee. Or will I have to depend on JS policy.

Also when I construct the regex expression using assign message policy, I am getting an error. Looks like the the string is not being considered as a regular expression.

"expressions.parser.RegexRequired: "Expected a pattern as the RHS of a pattern match expression""

eg: "^.*{reference_value}.*$"

@dchiesa1

dchiesa1

Hi

I'm not sure the problem you're confronting. The question you referenced described a challenge in validating a single value within a claim that contains an array. The array was "scopes" in that question. But it sounds like that's not what you have, that's not the case you have here. You wrote:

@abhijithsh wrote:

But the proxy will receive two different tokens and they have different audience.

So that's not a single token, with an array claim, and the array may contain multiple values. This is two distinct tokens.

ok, then you described some problems you're having but you did not show any of the configuration you are using in the VerifyJWT or in the flow. Like any Condition you're using. The error message suggests there's a problem with the expression within a Condition, but ... you didn't show the condition. So I can't really help you beyond telling you "look in the Condition" .

String expressions in Conditions, the "right hand side" (aka RHS as referenced in the error message you showed), must be constants. It is not possible or valid to try to refer to a variable in the Right-Hand-Side of a comparison expression. You can compare a variable against a fixed string, or evaluate a variable for a regex match using a fixed regex. Just looking at the documentation now, this fact - that the right hand side must be a constant value - is not clearly documented. I'll see about fixing that.

If you need to compare two variables, or evaluate one variable against a regex in a different variable, then.... You can do that in JavaScript code. Rather than a flow like this:

<Step>
    <Name>VerifyJWT-1</Name>
</Step>
<Step>
    <Condition>NOT (jwt.VerifyJWT-1.decoded.claim.scopes ~~ "^\[.*update.*\]$")</Condition>
    <Name>RF-InsufficientScope</Name> <!-- raise a fault if condition evaluates false -->
</Step>

You would do something like this:

<Step>
    <Name>VerifyJWT-1</Name>
</Step>
<Step>
    <Name>JS-Evaluate-Audience</Name>
</Step>

And within the JavaScript step, you have access to the RegExp object, which can take a dynamic string, possibly determined by the value of some other context variables. So you can check a context variable against a dynamic regex. And then within the JS, if you throw an error, (throw new Error("audience mismatch") ) that will result in a fault in the flow, which you can then handle with a FaultRule, as normal. Another option is to NOT throw an error from within the JS, but to raise a fault with the RaiseFault policy. The JS would just set a flag variable with context.setVariable(), based on the result of the RegExp match. In the flow this might something like this:

<Step>
    <Name>VerifyJWT-1</Name>
</Step>
<Step>
    <Name>JS-Evaluate-Audience</Name>
</Step>
<Step>
    <Condition>NOT(audience-match-found = true)</Condition>
    <Name>RF-Audience-Mismatch</Name>
</Step>