PS256 - is the JWT validation policy working when generating a JWS from JWT.IO website?

JWT Validation is working for PS256 when we generate a signed JWT using the nodes jsonwebtoken npm.

However if you use the same private keys and JWT header/payloads via the JWT.IO website the signature validation policy now fails?!

Has anyone else noticed this?

0 5 1,052
5 REPLIES 5

I think you're saying.... that the jwt.io website is not verifying a signature that is apparently valid.

If that's the case then I think you should be posting to the owners of the jwt.io website.

If I am mistaken, then please correct me.


Update

Which JWT signing PS256 libraries have been tested against the Apigee PS256 JWT validator policy?

All of them?

The algorithm is standard and pretty straightforward and well-known, and the libraries don't vary in their output. I've never seen incompatibility among released JWT libraries. If your signatures don't verify, then you have got something else wrong. It is highly unlikely to be due to an incompatibility in the respective libraries, in my opinion.

Please try the JWT.IO web based signing tool as this a pretty common tool used throughout the industry.

I just tried generating a JWT using algorithm=PS256 in jwt.io, and then verifying that JWT in Apigee Edge using VerifyJWT, and it works. I have a quick screencast showing what I did and the result.

https://www.youtube.com/watch?v=VqRGyof4CGA

9008-screenshot-20190814-104013.png

Also, I tried the webpage at azurewebsites.net that you cited. Maybe that page is yours? The JWT that gets generated there seems to be in error. The header of the JWT generated from that website decodes to this:

{
  "alg": "PS256",
  "kid": null,
  "typ": "JWT"
}

That's not valid. The kid is optional in the header, but if it is present it must not be null. It must be a case-sensitive string. See RFC 7515, section 4.1.4.

9009-screenshot-20190814-133303.png

And the Apigee Edge VerifyJWT policy correctly rejects the JWT with a null kid.

Thanks for quick reply Dino, apologies for badly worded question.

If only that was the issue... unfortunately what I mean is the JWT validator policy isn't approving the signature of a JWS created using JWT.IO. However if its created in another library such as the nodes jsonwebtoken npm then JWT validator policy approves it. Odd, but I have tried other libraries and similar issues.

The obvious conclusion could be that not all PS256 JWT signing libraries are created equally! 🙂 How to spot this though when they have been tested and flagged for PS256 support.

Just wanted to know if anyone else here has experienced this....

To replicate please use a JWT validator policy with PS256 algorithm and provide the corresponding JWT signed from different libraries. Please try the JWT.IO web based signing tool as this a pretty common tool used throughout the industry.

Have however found this website http://open-banking.azurewebsites.net/Jwt which seems to sign using a different library.

Which JWT signing PS256 libraries have been tested against the Apigee PS256 JWT validator policy?

Hopefully this make sense.

Thanks for the detailed video, awesome stuff for anyone new to this.

However I have indeed implemented a test proxy like this.

It’s seems to be a random issue that I'm facing, I don't think its the APIGEE JWTs validation policy, however I can't rule it out just yet.

Someone else has witness a similar scenario https://stackoverflow.com/questions/54806097/node-js-signature-verification-ps256-succeeds-in-node-j...

This leads me to think there is something odd about PS256 being incorrectly validated even you have the correct corresponding public key/cert. It is a probablistic which after reading about is a curious things compared to the RS256 which is deterministic.

Try your test again and see about modifying the JWT payload values and sign from jwt.io or that other website without the public key being present, it shouldn't need it anyway as this should not be required for signing.

You may try on and off for many hours with it working and then “bingo” your latest change your jwt payload produces a JWT signature failure!?

I know you're thinking well obviously he's doing it wrong. My test like yours is very basic, the main difference is I'm using a JWKS.

FYI as the JWT you generated didn't have a kid, that other website seems to add it by default. It won’t break the signing check though as that kid is only valid for validation using a JWKS endpoint in the policy. Could you try that?

My JWKS structure looks like this below, please populate fields with your own self signed public cert values.

{

"keys": [

{

"kty": "RSA",

"n": "",

"e": "AQAB",

"kid": "",

"x5t": "",

"x5c": [

""

]

}

]

}

Thanks Dino, I know this is a big ask.

Hi, I've read your message, and I understand you're seeing intermittent failures in VerifyJWT on PS256-signed tokens, and you don't understand why. Unfortunately I am not clear on exactly what you're trying and what might be the cause. I understand there is a JWKS, and there are failures, but

  • you haven't showed me a sample JWT
  • you haven't showed me the VerifyJWT policy configuration you're using.

There IS a known problem with VerifyJWT if you use the new <JWKS uri='' /> to specify the JWKS URI. In particular, if the JWKS URI returns a JWK that contains an x5t or x5c, then that policy configuration will fail. This is a known problem and there is a fix being made, but it's not available in the cloud yet. the way to avoid the problem is to use a ServiceCallout to retrieve the JWKS and specify the configuration as <JWKS ref='foo'/>

Unfortunately I don't know if this is the problem you're experiencing since you haven't showed your VerifyJWT policy. You also cited a stackoverflow article, but that article indicates that the jwt.io website is not behaving consistently. again, if the problem is that jwt.io is not verifying a token, then you should be raising that issue with jwt.io, not with us.

You saw my step-by-step screencast; maybe you could either produce something similar showing me what you're doing to lead to the failure? Either that, or provide a very meticulous step-by-step list of instructions for how I Can reproduce what you're doing.

BTW there is a public test JWKS endpoint you can use during development, located at https://jwks-service.appspot.com/

Thanks Dino, I am trying to duplicate the issue, but like I said it seems a bit random. Hoping its a "oh I was doing something silly" moment.

Thanks for the info about that known issue.

I can share the JWT validation policy sample I'm using:

<VerifyJWT name="JWT-ValidateJwtSignature" continueOnError="false">
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <Algorithm>PS256</Algorithm>
  <TimeAllowance>120s</TimeAllowance>
  <Source>request.content</Source>
  <PublicKey>
    <JWKS ref="custom.jwksResponse.content"/>
  </PublicKey>
</VerifyJWT>
<br>

The custom.jwksResponse.content is using the JWKS structure I share before.

Will try using that JWKS generator.

Thanks again.

EDIT: even though I can't provide a sample project yet, I believe the issue is related to swapping between two differnt private keys when signing JWTs, then using the existing public key/cert/jwks in the JWT validation policy.