This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

can we use variables in verifyJWT policy

Posted on 12-11-2018 12:07 PM
rmasanam
New Member
Reply posted on --/--/---- --:-- AM

I have VerifyJWT policy config below where subject, Issuer and Audience have variables and it is not working. When I hard code these values instead of using variables, it works. Am I doing anything wrong? are varaibles not supported in VerifyJWT policy? 

<VerifyJWT name="Verify-Okta-Token">
  <DisplayName>Verify Okta Token</DisplayName>
  <Algorithm>RS256</Algorithm>
  <Source>request.header.jwt-token</Source>
  <PublicKey>
    <JWKS ref="cached.nord.jwks"/>
  </PublicKey>
  <Subject>{Subject}</Subject>
  <Issuer>https://abc.oktapreview.com/oauth2/{auth-server-code}</Issuer>
  <Audience>https://abc.oktapreview.com/{Audience}</Audience>
</VerifyJWT>
Solved Solved
1 2 207
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi Bob!

So nice to see you taking advantage of the community.

The Subject and Issuer elements do not accept Message Templates. They DO accept ref=, same configuration pattern that you have used with the JWKS element. (I've filed documentation feedback to make this clearer in the doc.)

I do empathize with you, over this confusion. Some of the configuration elements accept message templates, and some accept ref= attributes. Sometimes it seems there is no good reason. It's tough to keep them straight. So I appreciate and understand your frustration on this.

Anyway, the correct syntax is like this: 

<VerifyJWT name="Verify-Okta-Token">
  <DisplayName>Verify Okta Token</DisplayName>
  <Algorithm>RS256</Algorithm>
  <Source>request.header.jwt-token</Source>
  <PublicKey>
    <JWKS ref="cached.nord.jwks"/>
  </PublicKey>
  <Subject ref='expected_subject'>
  <Issuer ref='expected_issuer'/>
  <Audience ref='expected_audience'/>
</VerifyJWT>

If you want to verify that the issuer and the audience match a string that is constructed from some other variable, then you will need to precede that policy in the flow with an AssignMessage/AssignVariable like this: 

<AssignMessage name='AV-ConstructedVariables'>
  <AssignVariable> 
    <Name>expected_issuer</Name>
    <Template>https://abc.oktapreview.com/oauth2/{auth-server-code}</Template>
  </AssignVariable>
  <AssignVariable> 
    <Name>expected_audience</Name>
    <Template>https://abc.oktapreview.com/{Audience}</Template>
  </AssignVariable>
</AssignMessage>

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi Bob!

So nice to see you taking advantage of the community.

The Subject and Issuer elements do not accept Message Templates. They DO accept ref=, same configuration pattern that you have used with the JWKS element. (I've filed documentation feedback to make this clearer in the doc.)

I do empathize with you, over this confusion. Some of the configuration elements accept message templates, and some accept ref= attributes. Sometimes it seems there is no good reason. It's tough to keep them straight. So I appreciate and understand your frustration on this.

Anyway, the correct syntax is like this: 

<VerifyJWT name="Verify-Okta-Token">
  <DisplayName>Verify Okta Token</DisplayName>
  <Algorithm>RS256</Algorithm>
  <Source>request.header.jwt-token</Source>
  <PublicKey>
    <JWKS ref="cached.nord.jwks"/>
  </PublicKey>
  <Subject ref='expected_subject'>
  <Issuer ref='expected_issuer'/>
  <Audience ref='expected_audience'/>
</VerifyJWT>

If you want to verify that the issuer and the audience match a string that is constructed from some other variable, then you will need to precede that policy in the flow with an AssignMessage/AssignVariable like this: 

<AssignMessage name='AV-ConstructedVariables'>
  <AssignVariable> 
    <Name>expected_issuer</Name>
    <Template>https://abc.oktapreview.com/oauth2/{auth-server-code}</Template>
  </AssignVariable>
  <AssignVariable> 
    <Name>expected_audience</Name>
    <Template>https://abc.oktapreview.com/{Audience}</Template>
  </AssignVariable>
</AssignMessage>
Jump to Solution

Posted on --/--/---- --:-- AM
rmasanam
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you @Dino-at-Google

Jump to Solution
0 Likes