Hi Team,
I am trying to validate a JWT token generated by Azure AD. After setting up the policies , now i am facing issue like:
Error Content | |
Body | {"fault":{"faultstring":"Invalid token: policy(VerifyJWT)","detail":{"errorcode":"steps.jwt.InvalidToken"}}} |
---|
Properties | |
action | ABORT |
---|---|
stepDefinition-async | false |
internal | false |
stepDefinition-type | |
type | VerifyJWTStepExecution |
enforcement | request |
stepDefinition-continueOnError | false |
stepDefinition-displayName | VerifyJWT |
stepDefinition-name | VerifyJWT |
stepDefinition-enabled | true |
result | false |
error | Invalid token: policy(VerifyJWT) |
type | ErrorPoint |
state | PROXY_REQ_FLOW |
error.class | com.apigee.steps.jwt.verify.SignatureVerificationException |
Identifier | fault |
Our VerifyJWT Policy looks like as below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VerifyJWT name="VerifyJWT" enabled="true" continueOnError="false" async="false"> <Algorithm>RS256</Algorithm> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <PublicKey> <Value ref="flow.mhc.pubkey"/> </PublicKey> <!--<Subject ref="jwt.DecodeJWT.claim.subject"/>--> <!--<Issuer ref="jwt.DecodeJWT.claim.issuer"/>--> <!--<Audience ref="jwt.DecodeJWT.claim.audience"/>--> </VerifyJWT>
Thanks
Pratyush
Solved! Go to Solution.
"Invalid token"
and "com.apigee.steps.jwt.verify.SignatureVerificationException"
indicates that the signature on the token cannot be verified using the key you have provided.
The JWT runtime cannot verify the signature with the given public key. One of these two things is true:
It is impossible to determine, from inspection, whether the signature is corrupted, or whether the signature has been made with a private key that does not match your public key. The signature bytes are random, so it is not something you could visually inspect to determine which of the two above is happening.
My recommendation is to check your assumptions about the public key you are using.
If I were troubleshooting this I would try verifying the JWT using a different tool, like this one. You can paste in your JWT and your PEM-encoded public key and try to verify in the browser. The JWT doesn't leave your browser, nor does the public key (not that it matters; public keys are public).
Or you can verify a JWT using custom code in C# or Java or etc. If you get the same kind of error with other tools that you are seeing in the Apigee VerifyJWT policy, that would suggest that the VerifyJWT policy is working correctly. Then it is up to you to determine which of the two above cases - key mismatch or corrupted signature - is leading to the problem.
If you get different results from a different signature verification tool - for example if the online tool verifies the JWT but the Apigee VerifyJWT policy doesn't - then you will need to look more closely at the key and JWT, and the policy configuration to determine why.
"Invalid token"
and "com.apigee.steps.jwt.verify.SignatureVerificationException"
indicates that the signature on the token cannot be verified using the key you have provided.
The JWT runtime cannot verify the signature with the given public key. One of these two things is true:
It is impossible to determine, from inspection, whether the signature is corrupted, or whether the signature has been made with a private key that does not match your public key. The signature bytes are random, so it is not something you could visually inspect to determine which of the two above is happening.
My recommendation is to check your assumptions about the public key you are using.
If I were troubleshooting this I would try verifying the JWT using a different tool, like this one. You can paste in your JWT and your PEM-encoded public key and try to verify in the browser. The JWT doesn't leave your browser, nor does the public key (not that it matters; public keys are public).
Or you can verify a JWT using custom code in C# or Java or etc. If you get the same kind of error with other tools that you are seeing in the Apigee VerifyJWT policy, that would suggest that the VerifyJWT policy is working correctly. Then it is up to you to determine which of the two above cases - key mismatch or corrupted signature - is leading to the problem.
If you get different results from a different signature verification tool - for example if the online tool verifies the JWT but the Apigee VerifyJWT policy doesn't - then you will need to look more closely at the key and JWT, and the policy configuration to determine why.
Hello @Dino-at-Google
YOu were correct that signature was wrong, i had again a cross check with Azure team and asked to verify them and now its working fine for me. Many Thanks for your all support.
Cheers,
Pratyush
You're welcome, I'm glad it helped.
User | Count |
---|---|
7 | |
2 | |
2 | |
2 | |
1 |