Solved: Importing JWT Java Callout Proxy using Apigee Edge...

Report Inappropriate Content · 12-05-2017 10:18 AM

Hi - Need some information on deploying the JWT javacallout proxies from Apigee Edge UI.

Source:

https://github.com/gahana/edge-jwt-sample.

1. Can we download the zip and just deploy the individual proxies from Apigee Edge. Or can Apidgee Edge UI handle multiple proxies when importing a bundle.

2. Tried to import Validate proxies individually but getting read error. Do we need to change/set any variables before importing

3. Are all the prerequisites mentioned in above source link required, when importing the proxies from Apigee Edge

4. deploy.sh is rebuilding the jars. Is it mandatory step before deploying these proxies irrespective of Edge UI or Command line process.

Thanks,

Sekhar

,

Hi - Need some information on deploying the JWT javacallout proxies from Apigee Edge UI.

Source:

https://github.com/gahana/edge-jwt-sample.

1. Can we download the zip and just deploy the individual proxies from Apigee Edge. Or can Apidgee Edge UI handle multiple proxies when importing a bundle.

2. Tried to import Validate proxies individually but getting read error. Do we need to change/set any variables before importing

3. Are all the prerequisites mentioned in above source link required, when importing the proxies from Apigee Edge

4. deploy.sh is rebuilding the jars. Is it mandatory step before deploying these proxies irrespective of Edge UI or Command line process.

Thanks.

ssudhindra

Hi Sekhar,

1. You can zip and import one proxy at a time. Or you can use the deploy script on the project.

2. The validate proxy uses a sharedflow. Are you importing it before the validate proxy? Also the proxy in the above repo is designed to take input to run some tests for generating and validating JWTs. You should pick the `edge-jwt-generate.jar` and `jose4j-0.5.7.jar` and use it in your own Java callout. You can see some examples in the readme file.

3. The pre-requisites have the purpose mentioned. If you just want to copy the `edge-jwt-generate.jar` and not build it yourself, you may not need gradle. If you are not using BDD, then you don't need the tools related to it.

4. The deploy script rebuilds the jar only if you specify the java option. You don't have to do it, if you just copy the jars.

View solution in original post

ssudhindra

Taking this question from the previous comment thread.

"Did the extract variables in the shared flow worked for you. As per apigee docs, extract from JSONPayload only works for "Content-Type header is application/json." But in case of JWT the header content is not json. Any inputs on how this extract variables can be achieved."

Not sure I understand the question. Here is what I think you may be referring to.

The sample project is setup up to test the Java callout with various inputs. The test cases are varied based on contents of JSON object in the request body and the same is used to configure the Java callout.

On a production bound Java callout for JWT validation, configuration information like Issuer, Audience, Keys, Algos, etc. should come from an encrypted KVM. This way you can separate config from code, separate different environment values from each other and keep secrets and keys protected.

So instead of an ExtractVariables policy, in your case you would use a KeyValueMapOperations policy to read KVM entries for what to verify in the JWT Java callout. You could also hard code these values in Java callout, to begin with.

The JWT itself can come from the Authorization header. You can use ExtractVariables to get it from header.

    <Header name="Authorization">
        <Pattern ignoreCase="true">Bearer {jwt}</Pattern>
    </Header>

Hope this helps.

View solution in original post

ssudhindra

Hi Sekhar,

1. You can zip and import one proxy at a time. Or you can use the deploy script on the project.

2. The validate proxy uses a sharedflow. Are you importing it before the validate proxy? Also the proxy in the above repo is designed to take input to run some tests for generating and validating JWTs. You should pick the `edge-jwt-generate.jar` and `jose4j-0.5.7.jar` and use it in your own Java callout. You can see some examples in the readme file.

3. The pre-requisites have the purpose mentioned. If you just want to copy the `edge-jwt-generate.jar` and not build it yourself, you may not need gradle. If you are not using BDD, then you don't need the tools related to it.

4. The deploy script rebuilds the jar only if you specify the java option. You don't have to do it, if you just copy the jars.

Report Inappropriate Content

Srinivas - Thanks for the inputs. I did a small mistake when creating the archive for individual proxies. Corrected it and was able to import SF and APIProxy for JWT validations.

Report Inappropriate Content

Srinivas - I am trying to troubleshoot the following issue but not able to resolve. Generated a JWT using "RSA_USING_SHA256" and jws=ture (exact as in readMe sample, expect for private and public keys). Tried to validate the JWT but getting invalid JWE public key error. When we are signing with JWS, any idea why it is expecting JWE. The same JWT is validated with public cert on jwt.io

Tried to explicitly set jwe-key property to false, but still same error. Any advise is greatly appreciated. Thanks.

ssudhindra

Hi Sekhar,

Can you provide the Java callout config for both generation and validation? You can mask/hide sensitive values like claims, keys & jwt.

Also confirm if the certificate is in PEM format. See the note in readme on keys.

ssudhindra

Sekhar - Also have a look at test case at line 175. Are you able to run this? I just checked and it works for me. Please get latest changes and let me know if this does not work for you.

You also mention `jws=ture`. It should be `true` not `ture`. Hope this is not a mistake in code.

Report Inappropriate Content

Hi Srinivas - Thanks for the prompt response. The certs are in PEM format and jws=true (its a typo in my question). However I found a strange issue. The public cert (PEM format) provided by application team worked on jwt.io, but the javacallout is throwing the error. After some troubleshooting, I requested them to extract the public key from private key using openssl. And then the java callout worked.

Also realized the jws-key on validation should strictly follow the below naming convention: "-----BEGIN PUBLIC KEY----- fhgk9ie-----END PUBLIC KEY-----. It didn't work with ----BEGIN CERTIFICATE----JFJCJCNDJ--------END CERTIFICATE------

Thank you.

ssudhindra

Yes, the callout only reads a public key in PEM format. Not coded to read certificates currently. Can be a good enhancement.

Report Inappropriate Content

Thanks for clarifying. Did the extract variables in the shared flow worked for you. As per apigee docs, extract from JSONPayload only works for "Content-Type header is application/json." But in case of JWT the header content is not json. Any inputs on how this extract variables can be achieved. Thanks.

ssudhindra

Taking this question from the previous comment thread.

"Did the extract variables in the shared flow worked for you. As per apigee docs, extract from JSONPayload only works for "Content-Type header is application/json." But in case of JWT the header content is not json. Any inputs on how this extract variables can be achieved."

Not sure I understand the question. Here is what I think you may be referring to.

The sample project is setup up to test the Java callout with various inputs. The test cases are varied based on contents of JSON object in the request body and the same is used to configure the Java callout.

On a production bound Java callout for JWT validation, configuration information like Issuer, Audience, Keys, Algos, etc. should come from an encrypted KVM. This way you can separate config from code, separate different environment values from each other and keep secrets and keys protected.

So instead of an ExtractVariables policy, in your case you would use a KeyValueMapOperations policy to read KVM entries for what to verify in the JWT Java callout. You could also hard code these values in Java callout, to begin with.

The JWT itself can come from the Authorization header. You can use ExtractVariables to get it from header.

    <Header name="Authorization">
        <Pattern ignoreCase="true">Bearer {jwt}</Pattern>
    </Header>

Hope this helps.

Report Inappropriate Content

Thanks for clarifying. I got this working.

Importing JWT Java Callout Proxy using Apigee Edge UI,JWT Java Callout Proxy Implementation