generateJWT policy: How to create JWS with typ=JOSE

Hello,

I am trying to add the below additional header claim in the generateJWT policy:

<AdditionalHeaders>
  <Claim name="typ">JOSE</Claim>
</AdditionalHeaders>

But I am getting error during the deployment saying-

Invalid name for additional header: policy(policyname) header(typ)

I need to update the typ attribute in the header to JOSE.

How can I achieve the same?

Solved Solved
0 12 707
1 ACCEPTED SOLUTION

You cannot.

Using the GenerateJWT policy, today, you cannot generate a JWT that includes a header, which itself includes a claim named "typ" with a value that is "JOSE". In fact, when you use GenerateJWT, the "typ" claim is always included in the header, and the value is always "JWT".

Can you explain why you need the typ claim to be different from JWT? The output is, actually, a JWT, so that seems like the right value. The JWT specification says:

   The "typ" (type) Header Parameter defined by [JWS] and [JWE] is used
   by JWT applications to declare the media type [IANA.MediaTypes] of
   this complete JWT.  ...  If present, it is RECOMMENDED that
   its value be "JWT" to indicate that this object is a JWT. 

BTW, if what you want is a JWS, Apigee has the GenerateJWS policy that allows you to generate a JWS with a typ=JOSE header. You can specify anything you like for typ= and cty= in the header, etc.

<GenerateJWS name='gjws-001'>
  <Algorithm>RS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PrivateKey>
    <Value ref="private.key"/>
    <Id ref='private_key_id'/>
  </PrivateKey>
  <Payload ref='variable_holding_payload'/>
  <AdditionalHeaders>
    <Claim name='typ' ref='variable_holding_typ'/>
    <Claim name='cty' ref='variable_holding_cty'/>
  </AdditionalHeaders>
  <OutputVariable>variable-name-here</OutputVariable>
</GenerateJWS>

View solution in original post

12 REPLIES 12

You cannot.

Using the GenerateJWT policy, today, you cannot generate a JWT that includes a header, which itself includes a claim named "typ" with a value that is "JOSE". In fact, when you use GenerateJWT, the "typ" claim is always included in the header, and the value is always "JWT".

Can you explain why you need the typ claim to be different from JWT? The output is, actually, a JWT, so that seems like the right value. The JWT specification says:

   The "typ" (type) Header Parameter defined by [JWS] and [JWE] is used
   by JWT applications to declare the media type [IANA.MediaTypes] of
   this complete JWT.  ...  If present, it is RECOMMENDED that
   its value be "JWT" to indicate that this object is a JWT. 

BTW, if what you want is a JWS, Apigee has the GenerateJWS policy that allows you to generate a JWS with a typ=JOSE header. You can specify anything you like for typ= and cty= in the header, etc.

<GenerateJWS name='gjws-001'>
  <Algorithm>RS256</Algorithm>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PrivateKey>
    <Value ref="private.key"/>
    <Id ref='private_key_id'/>
  </PrivateKey>
  <Payload ref='variable_holding_payload'/>
  <AdditionalHeaders>
    <Claim name='typ' ref='variable_holding_typ'/>
    <Claim name='cty' ref='variable_holding_cty'/>
  </AdditionalHeaders>
  <OutputVariable>variable-name-here</OutputVariable>
</GenerateJWS>

This is a openbanking requirement where the typ value should be JOSE in the x-jws-signature.

https://openbanking.atlassian.net/wiki/spaces/DZ/pages/641992418/Read+Write+Data+API+Specification+-...

Refer Process for Signing a Payload Section where the JSON header can contain the claim typ (optional field) but if it is present the value should be JOSE.

ahh, ok, that's helpful. I understand.

The section you referred to specifically deals with signing a JWS, not a JWT. The output is a JWS. With the GenerateJWS policy, you can generate a JWS that complies with that requirement.

You don't actually want a JWT, you should not use GenerateJWT.

ok....thanks....

Could you let us know by when can we expect it to be available?

Hi - No I cannot make any predictions or commitments, unfortunately.

I would like to know from you, what your deadlines and timelines are.

Hi @dchiesa1, Any update on JOSE module Encryption/Decryption and Digital-Signature/Digital-Signature-Verification.

Hi babu

I believe the requirements raised here were addressed as part of this release

https://docs.apigee.com/release/notes/190301-apigee-edge-public-cloud-release-notes

(Refer to 117558815)

More information here 

https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/Enhancements-coming-soon-in-JWT-Polic...

what is your specific question?  There have been plenty of updates, but none of them have been posted to this thread. So what would you like to know?

This is as per the regulatory guidelines and that is Mar 2019.

OK, I understand. Thanks.

@nimishamahale, you'll have to use a separate library in order to create a JWS. Using the GenerateJWT policy doesn't let you use a different header with the additional fields that OB requires. The GenerateJWT is for tokens, not really for signatures.