Verify JWT policy showing runtime error in product...

ext-sprabhu · 07-17-2020 01:19 PM

I have added a policy for JWT verification with the help of key value maps and is working fine in eval version of APIGEE

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="auth0-token-verify">
    <DisplayName>auth0-token-verify</DisplayName>
    <Algorithm>RS256</Algorithm>
    <PublicKey>
        <JWKS uri="https://thanos.auth0.com/.well-known/jwks.json"/>
    </PublicKey>
    <Issuer>https://thanos.auth0.com/</Issuer>
    <Audience ref="var_auth0_jwt_audience"/>
</VerifyJWT>

But when i used same bundle in the apigee licensed version, it started throwing error:

"code" : "steps.jwt.EmptyElementForKeyConfiguration",
"message" : "Empty Element for Key Configuration : policy(auth0-token-verify) element(PublicKey/JWKS)",

The bundle works fine in licensed version if I remove the JWT policy above. Any thoughts on the same @Dino-at-Google @Dino

ext-sprabhu

the apigee version where we are getting error is 19.01

Report Inappropriate Content

This error says the jwks.json issue. Either it's not accessible or its returning empty.

<JWKS uri="https://thanos.auth0.com/.well-known/jwks.json"/>

If it is not able to get, you can have the JSON body in your KVM and extract inside proxy and use as reference for the JWKS

ext-sprabhu

I have tested on the same. The JWKS uri is publicly accessible . Also this was working in eval version

Report Inappropriate Content

is it saas or onprem version of apigee ?

dchiesa1

You may be experiencing a bug in the VerifyJWT policy.

Check this Q&A for a similar issue, and a suggested workaround.

The fix for that problem is rolling out into production. The eval organizations get the fixes first., which would explain the difference in behavior you observed.

Verify JWT policy showing runtime error in production version