Solved: Exclude jti from JWT token generaion

sivaramappali · 07-19-2020 03:26 PM

Hello,

We have a use case of generating JWT tokens in Apigee with a private key, digest, digestAlgorithm as Additional Claims and x5c certificate as Additional Header and pass it to backend target for its validation and further processing of request.

Please see below for the policy configuration.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateJWT async="false" continueOnError="false" enabled="true" name="Generate-JWT">
    <DisplayName>Generate JWT</DisplayName>
    
    <Algorithm>RS256</Algorithm>
    
    <PrivateKey>
        <Value ref="private.privatekey"/>
    </PrivateKey>

    <AdditionalClaims>
        <Claim name="digest" ref="signData"/>
        <Claim name="digestAlgorithm" type="string">SHA-256</Claim>
    </AdditionalClaims>

    <AdditionalHeaders>
        <Claim name="x5c" ref="private.cert"/>
    </AdditionalHeaders>

    <OutputVariable>jwt-token</OutputVariable>

</GenerateJWT>

Resulting jwt token contains a "jti" claim which unfortunately is being rejected by backend target. Is there a way or workaround I can exclude the "jti" claim from token generation? Though I believe it should not be checked for by the backend target, unfortunately it is checking this and rejecting the tokens.

Thanks,

SivaRam Appali

dchiesa1

GenerateJWT always produces a jti claim in the issued JWT.

If you need no jti at all, you can use GenerateJWS. GenerateJWS can sign any payload; you need to pass in JSON in order to generate a JWT. Take care to assemble your claims correctly.

View solution in original post

deboraelkin

If your backend is expecting a specific value or pattern in the jti claim, you may want to add the <Id> attribute in your GenerateJWT policy (https://docs.apigee.com/api-platform/reference/policies/generate-jwt-policy#id). You should configure it to match what your backend expects. When not added, jti defaults to a random UUID.

This is probably the best approach to fix your issue. However, if you still want to go ahead and remove the jti claim, use an AssignMessage policy to copy all claims (except jti)

sivaramappali

Hi @deboraelkin

My requirement is not to include "jti" claim as part of token generation process.

How do you remove "jti" or any claim once it is generated with JWT policy ? I don't think that is possible to remove any claim and pass it to the target.

dchiesa1

It is not possible to remove any claim from a JWT including jti, after the signature has been computed, and still allow the JWT to be successfully verified.

dchiesa1

GenerateJWT always produces a jti claim in the issued JWT.

If you need no jti at all, you can use GenerateJWS. GenerateJWS can sign any payload; you need to pass in JSON in order to generate a JWT. Take care to assemble your claims correctly.

sivaramappali

@Dino-at-Google

Thank you for the response. I looked at the GenerateJWS policy and gave a try.

As per the documentation - Use the <Payload> element to specify the raw, unencoded JWS payload. When this policy is triggered, Edge encodes the JWS header and payload, and then uses them to generate the encoded signature. However, the generated JWS omits the payload. It is up to you to pass the payload to the VerifyJWS policy by using the <DetachedContent> element of the VerifyJWS policy.

However, my need is to specify the Payload as digest like how I mentioned in the AdditionalClaims of GenerateJWT under the policy configuration.

Is there a way I can achieve this with JWS ? Because my backend system validates the token and it expects these Additional claims and that was the actual reason i started off with JWT.

Please advise..

dchiesa1

my need is to specify the Payload as digest

I am not clear.

I thought the need was to generate a JWT with no jti claim. I think I answered that.

The GenerateJWS can be used to generate a JWT if you call JSON.stringify() on the thing you want to send as payload. In the Apigee proxy, you would:

invoke a JavaScript policy to build the payload
invoke a GenerateJWS to create the JWT

The JS might be like this;

var payload = { 
  digest: "digest-value-here", // how you compute it is up to you
  digestAlgorithm : "SHA-256"
};
context.setVariable('payload', JSON.stringify(payload));

And then the GenerateJWS might be like this:

<GenerateJWS  name="Generate-JWT">    
    <Algorithm>RS256</Algorithm>
    <PrivateKey>
        <Value ref="private.privatekey"/>
    </PrivateKey>
    <Payload ref='payload'/>
    <AdditionalHeaders>
        <Claim name="x5c" ref="private.cert"/>
    </AdditionalHeaders>
    <OutputVariable>jwt-token</OutputVariable>
</GenerateJWS>

Does that work?

Can you show the shape of the desired JWT?

Also, You quoted a portion of the documentation with this statement

Edge encodes the JWS header and payload, and then uses them to generate the encoded signature. However, the generated JWS omits the payload.

That statement from the Apigee documentation pertains to the DetachedContent element on the GenerateJWS policy. If you don't want detached content, then do not use that element.

sivaramappali

Thank you Dino!

This serves the purpose. And yes we were looking to generate the JWT token without a jti in the output and with payload digest with algorithm SHA-256