Verify JWT token by using the public key via url

Former Community Member
Not applicable

Is there any example or steps that could be provided to validate the JWT token that would be generated externally (Google platform) and also by using rotatable public key via url such as https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

so Apigee would sit in the middle of consumer and back-end of the API, consumer would pass in the externally generated JWT, API gee validates that token against using the url where public keys are available.. verifies the issuer/expiry/audience etc.. and then provides the results.

Solved Solved
0 6 2,252
1 ACCEPTED SOLUTION

I don't know what you mean by Example, or Steps, but. . . .

The VerifyJWT policy does this. Example configuration.

<VerifyJWT name='VJWT-1'>
  <Algorithm>RS256</Algorithm>
  <Source>inbound.jwt</Source>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PublicKey>
    <JWKS uri="https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"/>
  </PublicKey>
  <Issuer>https://accounts.google.com</Issuer>
</VerifyJWT>

Have you tried this? Is there any obstacle? What questions can I answer about verifying a JWT?

View solution in original post

6 REPLIES 6

I don't know what you mean by Example, or Steps, but. . . .

The VerifyJWT policy does this. Example configuration.

<VerifyJWT name='VJWT-1'>
  <Algorithm>RS256</Algorithm>
  <Source>inbound.jwt</Source>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PublicKey>
    <JWKS uri="https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"/>
  </PublicKey>
  <Issuer>https://accounts.google.com</Issuer>
</VerifyJWT>

Have you tried this? Is there any obstacle? What questions can I answer about verifying a JWT?

Former Community Member
Not applicable

hi Dino thanks for the quick response.. i did try the suggested approach.. basically a simple proxy and at the pre flow step i have added the above step VerifyJWT.. Google does offer two keys one listed as public key as the url pattern

<JWKS uri="https://www.googleapis.com/robot/v1/metadata/x509/account-name@appspot.gserviceaccount.com"/>

<JWKS uri="https://www.googleapis.com/service_accounts/v1/metadata/x509/account-name@appspot.gserviceaccount.com"/>

i did try both of the url and in both the cases the error description was very minimum {"fault":{"faultstring":"NullPointerException","detail":{"errorcode":"Internal Server Error"}}}.

i even tried with another issuer url from google https://securetoken.google.com/<project-name>;

please advice what i could try.. appreciate your help.

Former Community Member
Not applicable

hey Dino i think i made some progress and still probably having one last issue to get over..

i should have mentioned where in i am trying to validate the custom JWT token generated from Firebase Admin SDK.. so the issuer url was different from general GoogleID token

now the VerifyJWT looks something like this

<VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT"> 
  <Algorithm>RS256</Algorithm>
  <Source>request.header.authorization</Source> 
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <JWKS uri="https://www.googleapis.com/service_accounts/v1/metadata/x509/hhp-diginn-automation-dev@appspot.gserviceaccount.com"/>
  <Issuer>https://securetoken.google.com/hhp-diginn-automation-dev</Issuer>
</VerifyJWT>

post to this edit i always get Invalid JWS header: Invalid JSON: Unexpected token �z��&�r#�%%3#Sb' at position 18.

i have another simple java based service, which does verify the same token from GCP public key as well .. i know that token is good..

i wasn't very sure how to go from here.. any thoughts ?

if anyone wants to get a token

https://hhp-diginn-automation-dev.appspot.com/v1/token/new and post { "claims": {"role":"user"}, "ltpaToken": "string", "uid": "string" }

this would give the valid JWT token custom token.

appreciate any help in this regard.

Hey Mohan did you find any solution for this error?

Thanks

Sorry, I missed the followup questions.

Just omit the Source element. Try a configuration like this:

<VerifyJWT name="Verify-JWT"> 
  <Algorithm>RS256</Algorithm>
  <!-- <Source>request.header.authorization</Source>  -->
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <JWKS uri="https://www.googleapis.com/service_accounts/v1/metadata/x509/hhp-diginn-automation-dev@appspot.gserviceaccount.com"/>
  <Issuer>https://securetoken.google.com/hhp-diginn-automation-dev</Issuer>
</VerifyJWT>

.The VerifyJWT policy will automatically extract the JWT from the Authorization header if you don't specify Source. If you DO specify Source, then it should contain a JWT, nothing else. No prefix.

Hello, It complains about missing public key element:
Error Saving Revision 6
Missing configuration element : policy(Verify-JWT-Dev) element(PublicKey).