Generate JWT policy in Shared Flow

nikhilchawla
Participant III

Hi,

I'm trying GenerateJWT policy in shared flow and getting error 500 with below msg :

{"fault":{"faultstring":"Generation Failed","detail":{"errorcode":"steps.jwt.GenerationFailed"}}}

This information is not telling much about the issue.

Thanks

Solved Solved
0 8 244
1 ACCEPTED SOLUTION

nikhilchawla
Participant III

Thanks @Dino

I'm able to solve the issue. JWT expiry time was set to 1H instead of 1h.

Thanks for your help.

View solution in original post

8 REPLIES 8

nikhilchawla
Participant III

@Dino @Kurt Googler Kanaskie Any idea about this error. Looks like a generic error which is not telling much information.

Thanks

yes, I think that error is ... the payload that is sent back to the caller. That payload is not intended to communicate much information. Some people might say that even sending back the information that "JWT Generation failed" is too much information.

In any case the response payload is not intended to be the sole or main source of information for diagnosing problems with your proxy.

If I were diagnosing this I would turn on Tracing and run the request again, then highlight the JWT policy that is failing, and see what the error message indicates. It will be more detailed than what gets sent back in the message payload to the caller.

BTW this same diagnosis technique applies to faults thrown by any policy.

Good luck!

Even the Trace is not helping much.

jwt-failure.png

Hmmm, I see what you mean.

Looking into this further, there is a case in which an error can occur and there is no good diagnostic information provided. We may have to infer the error by further testing.

What's the policy look like?

Policy is like :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateJWT name="JWT-Generate-JWT-For-SF">
    <Algorithm>RS256</Algorithm>
    <PrivateKey>
        <Value ref="private.sf_jwt_private_key"/>
    </PrivateKey>
    <Subject ref="authorize.username"/>
    <Issuer ref="sf_client_id"/>
    <Audience ref="sf_jwt_audience"/>
    <ExpiresIn ref="sf_jwt_expiry_time_in_hours"/>
    <OutputVariable>jwttoken</OutputVariable>
    <DisplayName>JWT Generate JWT For SF</DisplayName>
</GenerateJWT>

I can see in trace, all values looks fine.

Thanks

Sorry about the trouble. Best I can suggest is for you to try various combinations of configuration to see if you can pinpoint the problem.

For example create a policy exactly like the one you showed, but eliminate the Subject element. Does it succeed?

Then try the Issuer

Then Audience

then ExpiresIn

If none of these work, then remove them all...

Can you sign an "empty" token with the private key? (The private key should be at least 2048 bits)

Is it possible that your private key is not in the correct form or is password protected (encrypted)? In which case you must provide a password in order to use the key.

Is the private key in PEM (PKCS#8) format?

I've raised a bug to provide more information in this failure scenario.

b/126240341

nikhilchawla
Participant III

Thanks @Dino

I'm able to solve the issue. JWT expiry time was set to 1H instead of 1h.

Thanks for your help.

Glad to help. Sorry it was so opaque. It should have been easier !