Solved: Firebase auth checking with verify-jwt

thomas · 08-01-2019 03:04 PM

Hello, im trying validate firebase tokens with Verify-JWT policy and dont know why im getting the error "Failed to parse key: policy(Verify-JWT-1) "

at the browser i get the token using:

fb.auth().currentUser.getIdToken()

and hardcoded the JavaScript policy that sets the user token and google public keys

context.setVariable("jwt-variable", ...)

// the contents of https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com

context.setVariable("public.jwks", {
  "keys": [
    {...

finally the JWT policy

<VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT-1">
    <Algorithm>RS256</Algorithm>
    <Source>jwt-variable</Source>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <PublicKey>
        <JWKS ref="public.jwks"/>
    </PublicKey>
</VerifyJWT>

thanks

dchiesa1

I tried your example on my current organization and it works successfully.

I also performed some additional tests on your Your trial organization, and encountered the same error you reported. Apparently your org does not have the update that allows it to retrieve from the JWKS uri.

unfortunately, I don't know when that trial organization will be updated.

I will check.

Update. The release engineers tell me that your pod will be updated soon, hoping for tomorrow.

View solution in original post

dchiesa1

Maybe try

context.setVariable("public.jwks", JSON.stringify({"keys":[{... ) );

In other words, public.jwks should be a string.

But, with VerifyJWT you should be able to specify the URL for the JWKS directly. It looks like this:

<VerifyJWT name="Verify-JWT-1">
    <Algorithm>RS256</Algorithm>
    <Source>jwt-variable</Source>
    <PublicKey>
        <JWKS uri="https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"/>
    </PublicKey>
    <Issuer>whatever-the-firebase-issuer-is</Issuer>
</VerifyJWT>

This will GET the URI at runtime and it eliminates the need to specify the JWKS in your JS Script and set it into "public.jwks".

thomas

now its working with the hardcoded token, replacing with "uri mode" i get the following:

policy(java.lang.NullPointerException)

dchiesa1

Can you show me your exact policy configuration please?

Do you have an example JWT you can share with me also? (Expired is ok)

thomas

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT-User">
    <Algorithm>RS256</Algorithm>
    <Source>jwt-variable</Source>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <PublicKey>
        <!--<JWKS uri="https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"/>-->
        <JWKS ref="public.jwks"/>
        <Issuer>https://securetoken.google.com/audfacil</Issuer>
    </PublicKey>
</VerifyJWT>

^ uncommenting uri and commenting ref lines return NullPointerException

jwt:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjcyODRlYTZiNGZlZDBmZDc1MzE4NTg2NDZmZDYzNjE1ZGQ3YTIyZjUiLCJ0eXAiOiJKV1QifQ.eyJuYW1lIjoiVGhvbWFzIEFuZGVyc29uIiwicGljdHVyZSI6Imh0dHBzOi8vbGg0Lmdvb2dsZXVzZXJjb250ZW50LmNvbS8tOVdZUUlOUGxGbEkvQUFBQUFBQUFBQUkvQUFBQUFBQUFBQUEvQUNldm9RTWkzNXhVejVjWk5oWlpIVkNxclFWZ1RHZHptdy9tby9waG90by5qcGciLCJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vYXVkZmFjaWwiLCJhdWQiOiJhdWRmYWNpbCIsImF1dGhfdGltZSI6MTU1OTU2NjM5NSwidXNlcl9pZCI6Im04emtqZEF6UmNRT05OQ1NwMTFsSGJYbnJ4WTIiLCJzdWIiOiJtOHpramRBelJjUU9OTkNTcDExbEhiWG5yeFkyIiwiaWF0IjoxNTY1MDI5MjA5LCJleHAiOjE1NjUwMzI4MDksImVtYWlsIjoidGhvbWFzQGVuc2luYXJ0ZWNub2xvZ2lhLmNvbS5iciIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJmaXJlYmFzZSI6eyJpZGVudGl0aWVzIjp7Imdvb2dsZS5jb20iOlsiMTExNjMyMjE3NDkzNzk2NTk4NDgwIl0sImVtYWlsIjpbInRob21hc0BlbnNpbmFydGVjbm9sb2dpYS5jb20uYnIiXX0sInNpZ25faW5fcHJvdmlkZXIiOiJnb29nbGUuY29tIn19.lRZ9D6d-phIrKeBXiu3xCxNc23wOmtWk7I8396x3fqfoeftfDYhrzmfvA-iOhh9iQO3KW7gXS7hKPIjbkxvuc7TB2wKTt-iEmXzbUdb1O-3c9N9iJ3IRa3dKfgBoF2p5KrG1L3n23AWmoXQBybQyILXJ5K-HOzKS6leDFpkvrX8A0bGsPfzz6nonQPRYCgNenFOdASRaYlkHlIgKzoPWllISHvSHHmN1apBMjWaKbqag3pz_Isdhb_2ylZl50Awa2yT71HIPV55AfRibVOCbA1OnzAeMSi_dBqQV_Nrfzc_Qa2hyDhqX80iRJvkqFPpsZshXrydrrOGTWG-qGGyZuw

dchiesa1

One thing - the <Issuer> needsa to be outside the <PublicKey> element.

like this:

<VerifyJWT name='VerifyJWT-1'>
    <Algorithm>RS256</Algorithm>
    <Source>jwt-variable</Source>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <PublicKey>
      <JWKS uri="https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"/>
      <!-- <JWKS ref="public.jwks"/> -->
    </PublicKey>
    <TimeAllowance>3650d</TimeAllowance>
    <Issuer>https://securetoken.google.com/audfacil</Issuer>
</VerifyJWT>

When I did it this way, it worked. I had to include the TimeAllowance, to ignore the fact that the JWT is expired.

Are you sure your jwt-variable is set?

Are you running in the Apigee Edge public cloud? (OPDK does not yet have this feature, wait til 19.06)

thomas

yes, even fixing issuer variable the error persists: vídeo

dchiesa1

I tried your example on my current organization and it works successfully.

I also performed some additional tests on your Your trial organization, and encountered the same error you reported. Apparently your org does not have the update that allows it to retrieve from the JWKS uri.

unfortunately, I don't know when that trial organization will be updated.

I will check.

Update. The release engineers tell me that your pod will be updated soon, hoping for tomorrow.

thomas

No problem, i think the most initial advantage we can take from apigee here its remove the authorization code in each microservice, if it works for non-sandbox account its fine. Thank you very much.