This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Verifying Auth0's JWTs using JWKS URL fails

Posted on 01-17-2020 11:29 AM
alejandrogarcia
New Member
Reply posted on --/--/---- --:-- AM

Auth0's JWKS payload contains x5t and x5c properties and when we try to verify a JWT generated by Auth0 the policy fails.

Here is a snippet of our policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="VJ_Verify_JWT_Access_Token">
    <DisplayName>VJ_Verify_JWT_Access_Token</DisplayName>
    <FaultRules/>
    <Properties/>
    <Type>Signed</Type>
    <Algorithm>RS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <PublicKey>
        <JWKS uri="AUTH0 JWKS URL"/>
    </PublicKey>
    <AdditionalHeaders/>
    <IgnoreCriticalHeaders>false</IgnoreCriticalHeaders>
    <AdditionalClaims/>
    <IgnoreIssuedAt>false</IgnoreIssuedAt>
</VerifyJWT>

Now if we remove x5t and x5c from the payload by manually generating a mock response of the JWKS payload my policy doesn't fail.

The error I'm getting is cannot read JWKS com.apigee.steps.jwt.verify.SignatureVerificationException

Can anyone help me?

Thanks

1 1 415
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

yes , this is a known bug.

My apologies for the inconvenience. This problem will be fixed in the forthcoming release of Apigee SaaS. (coming soon)

To workaround the problem for now, you must use a ServiceCallout to retrieve the JWKS payload from auth0.

For best performance, you should cache that result. 10-30 minutes ought to be reasonable cache TTL.

0 Likes