4.19.10 - OnPrem | JWT Signing using PS256 Algorithm

ashwithds123
Participant IV

@Dino-at-Google, @Dino, @marshg@google.com

Can we use generate JWT policy for signing using PS256 algorithm?

I presume PS256 algorithm is only available from 4.50.xx versions of on-prem.

Can you please let me know how to use PS256 algorithm on the 4.19.1 version.

Is there any OOTB java callout available for the mentioned requirment?

if available can you please share me the GIT link.

Note: Use this same example to generate a JWT for the PS256 or ES256 algorithm. Just change the value of <Algorithm>RS256</Algorithm> to PS256 or ES256. For ES256 you also have to specify the a key compatible with the algorithm. For more on the key requirments, see About signature encryption algorithms.

This example policy generates a new JWT and signs it using the HS256 algorithm. HS256 relies on a shared secret for both signing and verifying the signature.

When this policy action is triggered, Edge encodes the JWT header and payload, then digitally signs the JWT. See the video above for a complete example, including how to make a request to the policy.

The policy configuration here will create a JWT with a set of standard claims as defined by the JWT specification, including an expiry of 1 hour, as well as an additional claim. You can include as many additional claims as you wish. See the Element reference for details on the requirements and options for each element in this sample policy

0 9 1,526
9 REPLIES 9

I presume PS256 algorithm is only available from 4.50.xx versions of on-prem.

That is correct. As far as I know.

Can you please let me know how to use PS256 algorithm on the 4.19.1 version.

Is there any OOTB java callout available for the mentioned requirment?

There is none currently, as far as I know. PS256 is pretty close to RS256, though. It uses the same keys, the same crypto. Just different padding. so it would not be hard for you to add this capability to the callout in this repo.

Just curious: what prevents you from adopting 4.50 ?

We have similar requirement and just did extend your code to PS256 and it works fine.

https://github.com/apigee/iloveapis2015-jwt-jwe-jws/tree/master/jwt_signed/callout


Did you file a pull request? Are you contributing your change back to the project?

Absolutely.Will do.

@vinay,

Can you please share the java callout.

Api proxy bundle will be helpful

Sure.. Working on enabling a feature for JWKS. We are doing something for open banking(pretty interesting).

1.Search the key with the matching kid property in retrieve keysets.
2.Build a (public)certificate using the corresponding keyset
3.Use the certificate to verify the JWT’s signature.

Seeing some challenges but should able to sort out. If it gets delayed will share sample which does bare sign/verify.

Maybe a way to do it would be to build a supporting proxy that accepts a keyid and returns a Certificate in PEM format? And there might be a simple Java callout that does that work. (that should be drop-dead simple)

@Ashwith: Thanks for your patience. Couldn't upload because of size limitation but you can use below.

https://github.com/vinayporeddy/Apigee-JWS-PS256

Generate the keys and make modifications as required.The modified code will handle PS256.. Used original keys which dino had in repo but it will work with any keys.

If you have questions we can talk as well to clarify. Drop me your email.

@dino:

Was able to make the JWKS flow work as described earlier.Didn't enable in this proxy/java code to keep it simple(generate/verify).

Idea was do it all in one rather multiple callouts..Adjusted the code to use latest versions but open for thoughs/ideas..

1. Receive signed JWT request.
2. Fetch from JWKS url from KVM based of software id or any unique id (meta data will be pushed - jwks/kid/software statements etc during /register flow).

3. Provide the JWS to callout along with JWKS/Kid information in properties
4. Search the key with the matching kid property in retrieve keysets & cache it
5. Build a (public)certificate using the corresponding keyset
6. Use the certificate to verify the signature.

I may be doing incorrect but appreciate your support.

Original code was very well written & thankyou for all your work.

Sounds great! Thanks for contributing it back to the community.