SignatureVerificationException during JWT verify in apigee

Hi @Dino

I am trying to verify the JWT token that is generated by azure AD

I am having certificate content and claims details like sub,aud,iss for veriffying the token.

below is my configuration in apigee

assigning certificate content to a variable in js file

var publicCert = "certificate content"; context.setVariable("cert", "-----BEGIN CERTIFICATE-----"+ publicCert +"-----END CERTIFICATE-----");

Verify JWT configuration:

  <VerifyJWT async="false"
             continueOnError="false" enabled="true" name="Verify-JWT-1"> 
    <DisplayName>Verify JWT-1</DisplayName> 
    <Algorithm>RS256</Algorithm> 
    <PublicKey> 
      <Value ref="cert"/>
    </PublicKey> 
    <Subject>xyz</Subject> 
    <Issuer>https://abcd/</Issuer>
    <Audience>https://efg/</Audience> 
  </VerifyJWT>

Source is not given in verify JWT policy because by default source is taken in authorization header.

I am getting below errors in apigee.Please help me understand where is it getting wrong. also i am able to see that all the claims that got decoded in flow variables..but this signature verification error is coming

  • Error Content
Body
{"fault":{"faultstring":"Invalid token: policy(Verify-JWT-1)","detail":{"errorcode":"steps.jwt.InvalidToken"}}}
error.class com.apigee.steps.jwt.verify.SignatureVerificationException

Thanks in advance

@Siddharth Barahalikar ,

Solved Solved
0 5 735
1 ACCEPTED SOLUTION

your single question helped me to find the solution i.e i tried to verify in jwt.io there the certificate content is available on signature and then i got to know that the certificate content given by other team is wrong.

now i took it from jwt.io and then it is working fine.

Thanks a lot.

View solution in original post

5 REPLIES 5

ylesyuk
Participant V

can you please confirm that when you use your jwt and your public certificate in jwt.io, it validates?

Actually my requirement here is in the incoming jwt token the user details will be changed for different different tokens. for a different user-different subject, claims, audience also gets changed.

But to verify the token in apigee, do i need to hardcode and save all the user specific subject, audience and calims details for verifying the token or else is there any other approach to do this.

please give your suggestions

your single question helped me to find the solution i.e i tried to verify in jwt.io there the certificate content is available on signature and then i got to know that the certificate content given by other team is wrong.

now i took it from jwt.io and then it is working fine.

Thanks a lot.

Hi @Dino-at-Google, @Dino,

Actually my requirement here is in the incoming jwt token the user details will be changed for different different tokens. for a different user-different subject, claims, audience also gets changed.

But to verify the token in apigee, do i need to hardcode and save all the user specific subject, audience and calims details for verifying the token or else is there any other approach to do this.

please give your suggestions

Subject, Audience, and etc are all optional elements in VerifyJWT.

You do not need to include them, if you don't want to verify them.

  <VerifyJWT name="Verify-JWT-1"> 
    <DisplayName>Verify JWT-1</DisplayName> 
    <Algorithm>RS256</Algorithm> 
    <PublicKey> 
      <Value ref="cert"/>
    </PublicKey> 
  </VerifyJWT>

You may want to verify the issuer - otherwise you don't know who issued the token. But perhaps the certificate verifies the issuer implicitly.