Hi Everyone, Want to Encrypt the JWT using the below Public Key JWKS
{ "keys": [{ "kty": "RSA", "kid": "csrfJwtEncryptionKey", "use": "enc", "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ", "e": "AQAB" }] }
Error Received:Could not find a matching Public Key:
Policy Configuration as below .
<GenerateJWT name="Generate-JWT-2"> <DisplayName>Generate JWT-2</DisplayName> <Algorithms> <Key>RSA-OAEP-256</Key> <Content>A128CBC-HS256</Content> </Algorithms> <PublicKey> <JWKS ref="private.key"/> <Id>csrfJwtEncryptionKey</Id> </PublicKey> <Subject>subject-subject</Subject> <Issuer>urn://apigee-edge-JWT-policy-test</Issuer> <Audience>audience1,audience2</Audience> <ExpiresIn>8h</ExpiresIn> <AdditionalClaims> <Claim name="additional-claim-name" type="string">additional-claim-value-goes-here</Claim> </AdditionalClaims> <OutputVariable>jwt-variable</OutputVariable> </GenerateJWT>
Can someone let me know what i am doing wrong in this?
Solved! Go to Solution.
Maybe I can help?
Two things.
1. There's a bug (reference b/139642475) in Apigee in which a JWK representing an RSA key with use="enc" is rejected. So, either omit the "use" field or set it to "sig". Like this:
{ "keys": [{ "kty": "RSA", "kid": "csrfJwtEncryptionKey", "use": "sig", "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ", "e": "AQAB" }] }
or like this:
{ "keys": [{ "kty": "RSA", "kid": "csrfJwtEncryptionKey", "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ", "e": "AQAB" }] }
2. When you use a structure like
<JWKS ref='VARIABLE_NAME_HERE'/>
...then the VARIABLE_NAME_HERE must be the name of a variable that holds the full JWKS.
You are using a variable name of "private.key" which does not sound like it holds a JWKS, which.... contains only public keys, I guess. So either, in "private.key" you have a very misleadingly named variable, or you have something in that variable which is not a JWKS.
You can get what you want by using an AssignMessage like this:
<AssignMessage name="AM-JWKS"> <AssignVariable> <Name>my_jwks</Name> <Value>{ "keys": [{ "kty": "RSA", "kid": "csrfJwtEncryptionKey", "use": "sig", "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ", "e": "AQAB" }] } </Value> </AssignVariable> </AssignMessage>
Maybe I can help?
Two things.
1. There's a bug (reference b/139642475) in Apigee in which a JWK representing an RSA key with use="enc" is rejected. So, either omit the "use" field or set it to "sig". Like this:
{ "keys": [{ "kty": "RSA", "kid": "csrfJwtEncryptionKey", "use": "sig", "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ", "e": "AQAB" }] }
or like this:
{ "keys": [{ "kty": "RSA", "kid": "csrfJwtEncryptionKey", "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ", "e": "AQAB" }] }
2. When you use a structure like
<JWKS ref='VARIABLE_NAME_HERE'/>
...then the VARIABLE_NAME_HERE must be the name of a variable that holds the full JWKS.
You are using a variable name of "private.key" which does not sound like it holds a JWKS, which.... contains only public keys, I guess. So either, in "private.key" you have a very misleadingly named variable, or you have something in that variable which is not a JWKS.
You can get what you want by using an AssignMessage like this:
<AssignMessage name="AM-JWKS"> <AssignVariable> <Name>my_jwks</Name> <Value>{ "keys": [{ "kty": "RSA", "kid": "csrfJwtEncryptionKey", "use": "sig", "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ", "e": "AQAB" }] } </Value> </AssignVariable> </AssignMessage>
Hi Dino,
Thanks for the Help. Changing the USE: "sig" in the JWKS solved the Issue.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |