Solved: How to verify JWT Token

pxzxz1 · 07-01-2020 07:31 AM

Hello Apigeeks

Ways to verify JWT

Report Inappropriate Content

I am currently using JWKS to verify the token. In the KVM I have the JWKS key stored and in the flow I am doing lookup of the key. The JWT token is getting signature verified against the JWKS key, if its successful then the request is processed further.

View solution in original post

dchiesa1

A good place to start is the Reference Documentation for the JWT policies.

You may want to view my screencast overview of JWT. Specifically I discuss decoding vs verifying JWT at 9minutes 40seconds of that screencast. And then I discuss the policies in Apigee that you can use for JWT .

pxzxz1

Hello @dino-at-google

Thank you for the information.

dchiesa1

Well it depends on the convention that the JWT issuer is using.

If it is a client-issued self-signed JWT, then there is a keypair, presumably managed by the client, or managed jointly by Apigee and the client. The signer (the client in this case) needs the private key, and the verifier (Apigee in this case) needs access to the public key. How Apigee "gets" the public key is a design decision.

One simple way is ... for the client to self-generate a keypair, then at provisioning time, the developer of the client needs to upload the public key to Apigee so that it is stored as a custom attribute on the developer app.

Or you could invert that; Apigee could generate the keypair and transmit the private key to the client developer (via web download) , and then Apigee itself could store the required public key as a custom attribute on the developer app.

In either of these cases, yes, Apigee stores the client's public key.

Another alternative is for the client to use a key provisioning and management service. (Something like google Cloud KMS). That service would issue keys (key pairs). The client would have access to the private key for signing. Apigee and any other public endpoint would be able to contact the key management service to request the client's public key, based on the clientid, or the key id in the JWT, etc. The JWKS standard describes one way to do that: to publish public keys for specific key ID's.

In the first case Apigee stores the client's public key directly. In the second case Apigee stores... an "endpoint" or URI that can provide the client key, based on clientid or keyid. it's the same idea but with one added level of indirection.

One way or another, yes, a verifier of a JWT (like Apigee) needs access to the client's public key at runtime.

pxzxz1

Hello @dino-at-google

Thanks for the explanation, I understand better now.

dchiesa1

I want to ensure valid users, all of them will have their own JWT tokens and hence, public keys to be verified.

If you are speaking of user authentication, Normally that job is performed by an Identity Provider. Like Google Sign-in, or Okta, or Auth0, or Azure AD. There are many. After authenticating the user, the identity provider issues a signed JWT. The identity provider also publishes a JWKS endpoint with all of the necessary public keys. This is the endpoint for Google. The VerifyJWT policy can do a lookup into the JWKS endpoint to get the keys to verify the signature on an inbound JWT issued by a third-party identity provider.

If you don't want to use or rely on a third-party identity provider, then.... you have to decide how to manage signing keys, and how to authenticate users. Normally the keys are not per-user. (An app is not limited to use by one user, typically. Normally it is many users per app). I don't know , that's a bigger problem. Engaging in a design discussion about Building an identity provider is sort of beyond my capacity in this venue.

It's possible you said "ensure valid users" but you mean "ensure valid apps." If you are speaking not of USER authentication, but of APP authentication, then storing the public key on the developer app as a custom attribute seems like the right thing. I addressed this in my article and example of RFC 7523.

good luck.

Report Inappropriate Content

I am currently using JWKS to verify the token. In the KVM I have the JWKS key stored and in the flow I am doing lookup of the key. The JWT token is getting signature verified against the JWKS key, if its successful then the request is processed further.

dchiesa1

If there is a JWKS endpoint, you don't need a KVM or a manual (Explicit) lookup of the key.

You can do this

<VerifyJWT name='JWT-1'>
  <Algorithm>RS256</Algorithm>
  <Source>inbound.jwt</Source>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <PublicKey>
    <JWKS uri="https://your.jwks.endpoint.from/key.provider/jwks.json"/>
  </PublicKey>
  <Issuer>whatever</Issuer>
  <AdditionalClaims>
    <Claim name='cid'>whatever-you-like-here</Claim>
  </AdditionalClaims>
</VerifyJWT>

pxzxz1

Hello @priyadarshi ajitav jena

I believe JWT and JKWS work about the same. Can you share your flow with me as reference? Much appreciated.

dchiesa1

JWT and JKWS work about the same.

Maybe you've made a typo? Because that doesn't make sense. JWT and JWKS are two different, but related things.

JWT - RFC 7519

JWKS - RFC 7517

Report Inappropriate Content

we are generating JWT token using ISAM (External Identity system names ISAM). storing the JWKS key for that in Apigee KVM. Below is the verify JWT in apigee.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="true" enabled="true" name="Verify-Token">
    <DisplayName>Verify ISAM Token</DisplayName>
    <FaultRules/>
    <Properties/>
    <AdditionalClaims/>
    <AdditionalHeaders/>
    <Algorithm>RS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <PublicKey>
        <JWKS ref="JWKSKey"/>
    </PublicKey>
    <Source>accessToken</Source>
</VerifyJWT>

dchiesa1

May I suggest eliminating the unused configuration elements?

<VerifyJWT async="false" continueOnError="true" enabled="true" name="Verify-Token">
    <DisplayName>Verify ISAM Token</DisplayName>
    <Source>accessToken</Source>
    <Algorithm>RS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <PublicKey>
        <JWKS ref="JWKSKey"/>
    </PublicKey>
</VerifyJWT>

samirj

@dchiesa1 in case of Apigee X , is it possible to reach KMS to refer Public/Private keys ?

I see one has to associate Service Accounts with VM's and give the SA permissions so it can use keys from KMS. As the Apigee X is managed version how can it connect KMS ?

dchiesa1

in case of Apigee X , is it possible to reach KMS to refer Public/Private keys ?

Your question isn't related to the original question regarding the use of VerifyJWT. In case of a new question, please ask a new question! I will answer it there!