This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Generate JWT Token Policy returning Error

Posted on 07-16-2019 08:39 PM
shivamahalingam
New Member
Reply posted on --/--/---- --:-- AM

Hi,

When i try to generate the JWT token using the below Policy

JWT-Generate-ICS RS256 urn://apigee-edge-JWT-policy-test 8h SHA-256 jwt-token I am getting the below error at runtime. If x5c header supported using default JWT policy for RS256 

{
    "fault": {
        "faultstring": "Invalid name for additional header: policy(JWT-Generate-ICS) header(x5c)",
        "detail": {
            "errorcode": "steps.jwt.InvalidNameForAdditionalHeader"
        }
    }
}

Policy: 

<GenerateJWT name="JWT-Generate-ICS"> 
  <DisplayName>JWT-Generate-ICS</DisplayName> 
  <Algorithm>RS256</Algorithm> 
  <PrivateKey> 
    <Value ref="private.privatekey"/> 
    <Password ref="private.privatekeypwd"/> 
  </PrivateKey> 
  <Issuer>urn://apigee-edge-JWT-policy-test</Issuer> 
  <ExpiresIn>8h</ExpiresIn> 
  <AdditionalHeaders> 
    <Claim name="merchant-id" ref="merchInfo.merchantId "/> 
    <Claim name="x5c" ref="private.publiccert"/> 
  </AdditionalHeaders> 
  <AdditionalClaims> 
    <Claim name="digest" ref="hash_hash-b64"/> 
    <Claim name="digestAlgorithm" type="string">SHA-256</Claim> 
  </AdditionalClaims> 
  <OutputVariable>jwt-token</OutputVariable> 
</GenerateJWT>

Thanks in Advance. SM

0 2 189
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes; currently setting x5c is not supported by the GenerateJWT policy .

I've added a feature request, ref: b/137861397

0 Likes

Posted on --/--/---- --:-- AM
shivamahalingam
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks Dino.

Do we need to update documentation as well? Resolution given in this page shows the policy which has x5c claim in it. But the very same policy is not working for me.

https://docs.apigee.com/api-platform/troubleshoot/policies/deployment/generate-JWT-deployment-errors

Resolution

Do not use the standard JWT headers alg or typ in the child element <Claim> of the <AdditionalHeaders> element.

To correct the example Generate JWT policy shown above, use the name x5c in the child element <Claim> of the <AdditionalHeaders> element:

<code><GenerateJWTname="JWT-Generate-HS256"><DisplayName>JWT Generate HS256</DisplayName><Algorithm>HS256</Algorithm><IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables><SecretKey><Valueref="private.secretkey"/><Id>1918290</Id></SecretKey><ExpiresIn>1h</ExpiresIn><Subject>monty-pythons-flying-circus</Subject><Issuer>urn://apigee-edge-JWT-policy-test</Issuer><Audience>fans</Audience><Id/><AdditionalHeaders><Claimname='x5c'/></AdditionalHeaders></GenerateJWT>
0 Likes