This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Verify JWT Token using RS256 algorithm

Posted on 08-27-2020 06:25 AM
yuvashrijayakum
New Member
Reply posted on --/--/---- --:-- AM

I have configured Veridy JWT token in apigee proxy. While testing it in postman, I am getting "Invalid claim :claim(iss). I didnt add any claims under 'additional claims' in JWT Token policy.

How should I fix this?

Solved Solved
0 7 1,441
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

In general when asking for help, providing a description of the error you are seeing is not enough information. You also need to provide the configuration of the policy or proxy that you are using. And also perhaps the data or request that you are using, in this case that would be the actual JWT, if you're comfortable sharing it.

Even without the other information, I can infer some things from the information you gave.

"invalid claim: claim(iss)" indicates that the VerifyJWT policy you are using is configured to verify the issuer of the JWT you have provided, and the policy is finding that the issuer in the JWT does not match what your policy configuration requires.

When a VerifyJWT policy executes, it first validates the algorithm and signature on the JWT, using the information you provide in the policy configuration. If that succeeds, then the VerifyJWT policy checks the validity times (exp and nbf claims). If that succeeds, then VerifyJWT will verify other claims you specify.

If you use the Issuer element in the VerifyJWT configuration, then the VerifyJWT policy will look for the specified issuer ("iss" claim) in the JWT it is verifying. If there is no issuer, or if the provided JWT includes an "iss" claim that does not match, VerifyJWT will give you the error you reported.

<VerifyJWT name='VJWT-1'>
  <Algorithm>RS256</Algorithm>
  <Source>inbound.jwt</Source>
  <PublicKey>
    <Value ref='public_key_pem'/>
    </Value>
  </PublicKey>
  <!-- 
    The following tells VerifyJWT to look for urn://DinoChiesa as 
    the "iss" claim in the incoming JWT. If the incoming JWT does 
    not include this string as the "iss" claim, the VerifyJWT policy
    will throw a fault with "invalid claim: claim(iss)", even if the
    signature is valid.
  -->
  <Issuer>urn://DinoChiesa</Issuer>
</VerifyJWT>

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

The error you are seeing is because of invalid issuer. Please check the string in token and the verify jwt policy are same.

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Can you share the policy code?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

In general when asking for help, providing a description of the error you are seeing is not enough information. You also need to provide the configuration of the policy or proxy that you are using. And also perhaps the data or request that you are using, in this case that would be the actual JWT, if you're comfortable sharing it.

Even without the other information, I can infer some things from the information you gave.

"invalid claim: claim(iss)" indicates that the VerifyJWT policy you are using is configured to verify the issuer of the JWT you have provided, and the policy is finding that the issuer in the JWT does not match what your policy configuration requires.

When a VerifyJWT policy executes, it first validates the algorithm and signature on the JWT, using the information you provide in the policy configuration. If that succeeds, then the VerifyJWT policy checks the validity times (exp and nbf claims). If that succeeds, then VerifyJWT will verify other claims you specify.

If you use the Issuer element in the VerifyJWT configuration, then the VerifyJWT policy will look for the specified issuer ("iss" claim) in the JWT it is verifying. If there is no issuer, or if the provided JWT includes an "iss" claim that does not match, VerifyJWT will give you the error you reported.

<VerifyJWT name='VJWT-1'>
  <Algorithm>RS256</Algorithm>
  <Source>inbound.jwt</Source>
  <PublicKey>
    <Value ref='public_key_pem'/>
    </Value>
  </PublicKey>
  <!-- 
    The following tells VerifyJWT to look for urn://DinoChiesa as 
    the "iss" claim in the incoming JWT. If the incoming JWT does 
    not include this string as the "iss" claim, the VerifyJWT policy
    will throw a fault with "invalid claim: claim(iss)", even if the
    signature is valid.
  -->
  <Issuer>urn://DinoChiesa</Issuer>
</VerifyJWT>
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
yuvashrijayakum
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT-2">
    <DisplayName>Verify JWT-2</DisplayName>
    <Algorithm>RS256</Algorithm>
    <Source>request.header.jwt-token</Source>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <PublicKey>
        <Value>
           -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMII.........
-----END PUBLIC KEY-----

        </Value>
    </PublicKey>
    <Subject>subject-subject</Subject>
    <Issuer>urn://apigee-edge-JWT-policy-test</Issuer>
    <Audience>audience1,audience2</Audience>
</VerifyJWT>

Please find the configuration of the policy.

Issuer : kept it default

public key : used the key from the encoded value of jwt token

I have tried to update the issuer url with the Okta Idp Issuer Url : https://login.microsoftonline.com/ae04883c-1753-4789-83ec-919ff385b6d0/v2.0

I have got the same error.

Request in Postman: http://{apigee-deploy-url}-eval-test.apigee.net/v1/account

Header : I have passed the jwt-token

Let me know what should I use in the Issuer and Audience in the policy.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

The error you are seeing is because of invalid issuer. Please check the string in token and the verify jwt policy are same.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
yuvashrijayakum
New Member
In response to
Reply posted on --/--/---- --:-- AM

Thanks. Its working now. After updating the Issuer,sub and audience url with the decoded token data.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
yuvashrijayakum
New Member
In response to
Reply posted on --/--/---- --:-- AM

I have authenticated the user using Okta and it sends id token along with access token in the redirect url.

I need to fetch this token details and use it on APIGEE.

Now I have configured the values of sub,iss and aud by copied from the token. Instead, I should read the details automatically from token. 

<Subject>00uonkyy58HMoN4x6</Subject>
<Issuer>https://dev-171XX7.okta.com</Issuer>
<Audience>0oaonxg64nnz4x6</Audience>

Is there any doc which I can refer ?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to yuvashrijayakum
Reply posted on --/--/---- --:-- AM

I’m not clear. What problem are we solving?


if you don’t want to verify the claims, it merely want to read them, then

  • remove the elements for Issuer, Subject, etc from the policy
  • In subsequent policies , read the context variables like jwt.POLICYNAME.decoded.claim.iss and so on.

Yes , there is reference documentation for the VerifyJWT policy. It describes all of this in greater detail. Google for it.

Jump to Solution
0 Likes