Auth0's JWKS payload contains x5t and x5c properties and when we try to verify a JWT generated by Auth0 the policy fails.
Here is a snippet of our policy:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VerifyJWT async="false" continueOnError="false" enabled="true" name="VJ_Verify_JWT_Access_Token"> <DisplayName>VJ_Verify_JWT_Access_Token</DisplayName> <FaultRules/> <Properties/> <Type>Signed</Type> <Algorithm>RS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <PublicKey> <JWKS uri="AUTH0 JWKS URL"/> </PublicKey> <AdditionalHeaders/> <IgnoreCriticalHeaders>false</IgnoreCriticalHeaders> <AdditionalClaims/> <IgnoreIssuedAt>false</IgnoreIssuedAt> </VerifyJWT>
Now if we remove x5t and x5c from the payload by manually generating a mock response of the JWKS payload my policy doesn't fail.
The error I'm getting is cannot read JWKS com.apigee.steps.jwt.verify.SignatureVerificationException
Can anyone help me?
Thanks
yes , this is a known bug.
My apologies for the inconvenience. This problem will be fixed in the forthcoming release of Apigee SaaS. (coming soon)
To workaround the problem for now, you must use a ServiceCallout to retrieve the JWKS payload from auth0.
For best performance, you should cache that result. 10-30 minutes ought to be reasonable cache TTL.
User | Count |
---|---|
5 | |
2 | |
2 | |
1 | |
1 |