Error in VerifyJWT token

pratysin
Participant IV

Hi Team,

I am trying to validate a JWT token generated by Azure AD. After setting up the policies , now i am facing issue like:

Error Content

Body
{"fault":{"faultstring":"Invalid token: policy(VerifyJWT)","detail":{"errorcode":"steps.jwt.InvalidToken"}}}

Properties

action ABORT
stepDefinition-async false
internal false
stepDefinition-type
type VerifyJWTStepExecution
enforcement request
stepDefinition-continueOnError false
stepDefinition-displayName VerifyJWT
stepDefinition-name VerifyJWT
stepDefinition-enabled true
result false
error Invalid token: policy(VerifyJWT)
type ErrorPoint
state PROXY_REQ_FLOW
error.class com.apigee.steps.jwt.verify.SignatureVerificationException
Identifier fault

Our VerifyJWT Policy looks like as below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VerifyJWT name="VerifyJWT" enabled="true" continueOnError="false" async="false"> <Algorithm>RS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <PublicKey> <Value ref="flow.mhc.pubkey"/> </PublicKey> <!--<Subject ref="jwt.DecodeJWT.claim.subject"/>--> <!--<Issuer ref="jwt.DecodeJWT.claim.issuer"/>--> <!--<Audience ref="jwt.DecodeJWT.claim.audience"/>--> </VerifyJWT>

Thanks

Pratyush

Solved Solved
0 3 2,400
1 ACCEPTED SOLUTION

"Invalid token"

and "com.apigee.steps.jwt.verify.SignatureVerificationException"

indicates that the signature on the token cannot be verified using the key you have provided.

The JWT runtime cannot verify the signature with the given public key. One of these two things is true:

  1. The JWT was signed with a private key that is not paired with the public key you provided. You might call this a "key mismatch" situation. The JWT might be well formed, but it cannot be verified with the key you have.
  2. The JWT signature (third portion of the JWT string) has been modified or corrupted. This is a "corrupt JWT" situation.

It is impossible to determine, from inspection, whether the signature is corrupted, or whether the signature has been made with a private key that does not match your public key. The signature bytes are random, so it is not something you could visually inspect to determine which of the two above is happening.

My recommendation is to check your assumptions about the public key you are using.

If I were troubleshooting this I would try verifying the JWT using a different tool, like this one. You can paste in your JWT and your PEM-encoded public key and try to verify in the browser. The JWT doesn't leave your browser, nor does the public key (not that it matters; public keys are public).

Or you can verify a JWT using custom code in C# or Java or etc. If you get the same kind of error with other tools that you are seeing in the Apigee VerifyJWT policy, that would suggest that the VerifyJWT policy is working correctly. Then it is up to you to determine which of the two above cases - key mismatch or corrupted signature - is leading to the problem.

If you get different results from a different signature verification tool - for example if the online tool verifies the JWT but the Apigee VerifyJWT policy doesn't - then you will need to look more closely at the key and JWT, and the policy configuration to determine why.

View solution in original post

3 REPLIES 3

"Invalid token"

and "com.apigee.steps.jwt.verify.SignatureVerificationException"

indicates that the signature on the token cannot be verified using the key you have provided.

The JWT runtime cannot verify the signature with the given public key. One of these two things is true:

  1. The JWT was signed with a private key that is not paired with the public key you provided. You might call this a "key mismatch" situation. The JWT might be well formed, but it cannot be verified with the key you have.
  2. The JWT signature (third portion of the JWT string) has been modified or corrupted. This is a "corrupt JWT" situation.

It is impossible to determine, from inspection, whether the signature is corrupted, or whether the signature has been made with a private key that does not match your public key. The signature bytes are random, so it is not something you could visually inspect to determine which of the two above is happening.

My recommendation is to check your assumptions about the public key you are using.

If I were troubleshooting this I would try verifying the JWT using a different tool, like this one. You can paste in your JWT and your PEM-encoded public key and try to verify in the browser. The JWT doesn't leave your browser, nor does the public key (not that it matters; public keys are public).

Or you can verify a JWT using custom code in C# or Java or etc. If you get the same kind of error with other tools that you are seeing in the Apigee VerifyJWT policy, that would suggest that the VerifyJWT policy is working correctly. Then it is up to you to determine which of the two above cases - key mismatch or corrupted signature - is leading to the problem.

If you get different results from a different signature verification tool - for example if the online tool verifies the JWT but the Apigee VerifyJWT policy doesn't - then you will need to look more closely at the key and JWT, and the policy configuration to determine why.

Hello @Dino-at-Google


YOu were correct that signature was wrong, i had again a cross check with Azure team and asked to verify them and now its working fine for me. Many Thanks for your all support.


Cheers,

Pratyush

You're welcome, I'm glad it helped.