This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Encrypting JWT using JWKS

Posted on 08-14-2020 12:23 PM
irfanmugale-1
New Member
Reply posted on --/--/---- --:-- AM

Hi Everyone, Want to Encrypt the JWT using the below Public Key JWKS

{
  "keys": [{
    "kty": "RSA",
    "kid": "csrfJwtEncryptionKey",
    "use": "enc",
    "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ",
    "e": "AQAB"
  }]
}

Error Received:Could not find a matching Public Key:

Policy Configuration as below .

<GenerateJWT name="Generate-JWT-2">
  <DisplayName>Generate JWT-2</DisplayName> 
  <Algorithms> 
    <Key>RSA-OAEP-256</Key>
    <Content>A128CBC-HS256</Content> 
  </Algorithms> 
  <PublicKey> 
    <JWKS ref="private.key"/> 
    <Id>csrfJwtEncryptionKey</Id> 
  </PublicKey>
  <Subject>subject-subject</Subject>
  <Issuer>urn://apigee-edge-JWT-policy-test</Issuer>
  <Audience>audience1,audience2</Audience> 
  <ExpiresIn>8h</ExpiresIn>
  <AdditionalClaims> 
    <Claim name="additional-claim-name"
           type="string">additional-claim-value-goes-here</Claim>
  </AdditionalClaims> 
  <OutputVariable>jwt-variable</OutputVariable> 
</GenerateJWT>

Can someone let me know what i am doing wrong in this?

Solved Solved
0 2 611
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Maybe I can help?

Two things.

1. There's a bug (reference b/139642475) in Apigee in which a JWK representing an RSA key with use="enc" is rejected. So, either omit the "use" field or set it to "sig". Like this: 

{
  "keys": [{
    "kty": "RSA",
    "kid": "csrfJwtEncryptionKey",
    "use": "sig",
    "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ",
    "e": "AQAB"
  }]
}

or like this:

{
  "keys": [{
    "kty": "RSA",
    "kid": "csrfJwtEncryptionKey",
    "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ",
    "e": "AQAB"
  }]
}

2. When you use a structure like

 <JWKS ref='VARIABLE_NAME_HERE'/>

...then the VARIABLE_NAME_HERE must be the name of a variable that holds the full JWKS.

You are using a variable name of "private.key" which does not sound like it holds a JWKS, which.... contains only public keys, I guess. So either, in "private.key" you have a very misleadingly named variable, or you have something in that variable which is not a JWKS.

You can get what you want by using an AssignMessage like this: 

<AssignMessage name="AM-JWKS">
    <AssignVariable>
        <Name>my_jwks</Name>
        <Value>{
  "keys": [{
    "kty": "RSA",
    "kid": "csrfJwtEncryptionKey",
    "use": "sig",
    "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ",
    "e": "AQAB"
  }]
}
</Value>
    </AssignVariable>
</AssignMessage>

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Maybe I can help?

Two things.

1. There's a bug (reference b/139642475) in Apigee in which a JWK representing an RSA key with use="enc" is rejected. So, either omit the "use" field or set it to "sig". Like this: 

{
  "keys": [{
    "kty": "RSA",
    "kid": "csrfJwtEncryptionKey",
    "use": "sig",
    "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ",
    "e": "AQAB"
  }]
}

or like this:

{
  "keys": [{
    "kty": "RSA",
    "kid": "csrfJwtEncryptionKey",
    "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ",
    "e": "AQAB"
  }]
}

2. When you use a structure like

 <JWKS ref='VARIABLE_NAME_HERE'/>

...then the VARIABLE_NAME_HERE must be the name of a variable that holds the full JWKS.

You are using a variable name of "private.key" which does not sound like it holds a JWKS, which.... contains only public keys, I guess. So either, in "private.key" you have a very misleadingly named variable, or you have something in that variable which is not a JWKS.

You can get what you want by using an AssignMessage like this: 

<AssignMessage name="AM-JWKS">
    <AssignVariable>
        <Name>my_jwks</Name>
        <Value>{
  "keys": [{
    "kty": "RSA",
    "kid": "csrfJwtEncryptionKey",
    "use": "sig",
    "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ",
    "e": "AQAB"
  }]
}
</Value>
    </AssignVariable>
</AssignMessage>
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
irfanmugale-1
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dino,

Thanks for the Help. Changing the USE: "sig" in the JWKS solved the Issue.

Jump to Solution
0 Likes