This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

verify JWT public key hard code in the configuration.

Posted on 02-06-2019 04:02 AM
priyasrinivasan
New Member
Reply posted on --/--/---- --:-- AM

Can I give an hard coded public key in the verify JWT policy configuration to verify the JWT token given in the request header?

I have tried giving the hard coded key between,

<PublicKey> <JWKS> { "keys": [ { --my key goes here-- }] }


and I have given the source of the token as,

<Source>request.header.authorization</Source>

but I am getting the following error:

{"fault":{"faultstring":"Failed to Decode Token: policy(Verify-JWT-1)","detail":{"errorcode":"steps.jwt.FailedToDecode"}}}

0 2 772
Topic Labels
0 Likes
Reply
2 REPLIES 2

Posted on --/--/---- --:-- AM
sidd-harth
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

There is no need to mention the Source element if you are passing token in request.header.authorization.

By default, the JWT is retrieved from the variable request.header.authorization. In this case, Edge looks for the JWT in the request Authorization header. If you pass the JWT in the Authorization header, you do not need to include the Source element in the policy; however, you must include Bearer in the auth header.

Remove the Source element and check.

0 Likes
Reply

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Can you show me the format of the "ahrd coded key" that you include in the configuration like this: 

<PublicKey> <JWKS> { "keys": [ { --my key goes here-- }] }

Instead of showing me that half config with "my key goers here", show the actual config, from the open PublicKey element to the closing PublicKey element, including the serialized form of the public key.

The key that you provide in "my key goes here" - what does it look like? In what form is it encoded?

Typically the public key is PEM-encoded, but in some cases it uses the JWKS format. For the latter, your configuration should look something like this: 

  <PublicKey>
    <JWKS ref='jwks_payload'/>
  </PublicKey>

...and the context variable 'jwks_payload' should contain a JSON value containing something like this: 

{
 "keys": [
    {
      "kty": "RSA",
      "alg": "RS256",
      "use": "sig",
      "kid": "pubkey1",
      "n": "7Wb9p0wqUwq5ZIpUG0-MgKwidb0TXeEVi86bhhoaHwzuwZPdrZLanBCQCxp2gzp5WxW3huO91P89fXaX4IPqLWZn_s9aLxJk-ZiMfSrc49mJH99pZ4_eHA9LyGNVvQ1Yj6WIrdQIMBypwyWTYqOBLsQp6Ouo7K0t5c0XhKJUDuebdRx9WM7PSXVXr-u8BwL3-BW03lHp4tFgZhYae16mMV3DNlgHuBAusB6tQZT4yrn_lPhueTf2ie7pz2OVdjT9C5fZ-vRA23tvanusyP5j9zMGKR5sMSnPijwOLiOBPuMWcsFiLeL-LY3uV0Ii5mtIbS78UUVmncrin_6u9Es1Aw",
      "e": "AQAB"
    },
...
 ]
}

Or, you can omit the context variable, and actually hard-code the JSON into the XML configuration, like this:

<PublicKey>
  <JWKS>{
       "keys": [
          {
            "kty": "RSA",
            "alg": "RS256",
            "use": "sig",
            "kid": "pubkey1",
            "n": "7Wb9p0wqUwq5ZIpUG0-MgKwidb0TXeEVi86bhhoaHwzuwZPdrZLanBCQCxp2gzp5WxW3huO91P89fXaX4IPqLWZn_s9aLxJk-ZiMfSrc49mJH99pZ4_eHA9LyGNVvQ1Yj6WIrdQIMBypwyWTYqOBLsQp6Ouo7K0t5c0XhKJUDuebdRx9WM7PSXVXr-u8BwL3-BW03lHp4tFgZhYae16mMV3DNlgHuBAusB6tQZT4yrn_lPhueTf2ie7pz2OVdjT9C5fZ-vRA23tvanusyP5j9zMGKR5sMSnPijwOLiOBPuMWcsFiLeL-LY3uV0Ii5mtIbS78UUVmncrin_6u9Es1Aw",
            "e": "AQAB"
          },
          {
            "kty": "RSA",
            "alg": "RS256",
            "use": "sig",
            "kid": "7317d9351d5a8108beba641105315f2e19eca999",
            "n": "rcI_TfiTimIjyxKzgIRLaa2z_ctkO5qGsYFu9LVTUVY-lpnGGrPTcsowlpU4n-YyeH9XYlvgU5fZMmf4cdiWaORGoPSz6D1lRfYUAux2L3XaA967k-QFMbnaMPiZTR715eDPRNoJwdDgZJPU50QjBm0GES1728UC7_DIIjwuSyE-S84UJYWBG2KEtZHtWlfcfQBnoE-FnSriUzfK3Xy9YpmjhfUTsD6VvpuDBxORB5t77r50FhLDaZ6ApJWxtQ5wu4U8IL8Jbe0i0WyTBwEsUTwH1eo1-HuR_wJHd4-hi39o_1qXN3uRWxOlQa1BqmS1A0_OqVfwxMVI209jbdGE8Q",
            "e": "AQAB"
          },
          {
            "kty": "RSA",
            "alg": "RS256",
            "use": "sig",
            "kid": "3d859561819c670c8349198f41ce12037eafbc86",
            "n": "2EYSTmhFFEkaOEz7DDjyREUxUnDtBP23FNIPU3pJ00UF_Q6hlshqZ4kHugBmM67Gx0XkRPpgTmMXGIxFEtL5hqe2Igh1E6fAXPBTjip7nJES0FwB41j8clbytl3-nR1p-19aWPNUiq5URLuK1UNjkSXBtLCuJDE-_KN22uG-8L1fmAZDDRwKTEONehJ4CkVCud19zJz0lXSIOZtSao_PS7UY9z0uShe5PmXD5xRKK99WPD3oJtBigQfcLnj7uAqKQXHJr8suUs8C8p_Qa0aQPKVJ5tidzXDHBSsU3CXwlXP8h55m0oQDKjtpLW4eVvNqZyZ9rJ3Zg1eH55bPCX7gwQ",
            "e": "AQAB"
          }
        ]
 
}</JWKS>
</PublicKey>

Is that what you have?

For PEM-encoded keys, you would have something like this: 

  <PublicKey>
    <Value ref='public_key_pem'/>
  </PublicKey>

or, 

  <PublicKey>
    <Value>
      -----BEGIN PUBLIC KEY-----
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq/c4uCIU3UVFy7ezonkJ
      WVp2HkyZutia5Vg3T6lnWMySLeux34pWEiQdnNomWJvxY1wUc3PDUD8m4dF86Lvd
      Vr9dXisYtWpoaxy+nLGWmkSXv3pv77OfpEmaESbDEN4NlrQQsqnHH21fr8IQGp1e
      IetYOcUkBl97QXETV7fS5gSM2PuqMh7PNKeQot9LAf+0ANLzpCXa7Tx26TXoib2C
      RG5wD2+JDp3wlQtDTmNaHDgz7GDB1HsLYLY+JEFEi0hPY0zzUwxoH8UTlQmHHHWy
      5ewmAAQZ3yasIG0csDM38nKSHcZJMorg3tcJzO/7RS+a/sU8oEJWLkUcGawM33cc
      CQIDAQAB
      -----END PUBLIC KEY-----
    </Value>
  </PublicKey>
0 Likes
Reply