Hi , My JWT Verification is failing, with this error:
|
jwt.JWT-Verify.error
|
Could not find a matching Public Key: policy(JWT-Verify)
|
the policy config:
<VerifyJWT>
<DisplayName>JWT-Verify</DisplayName>
<Algorithm>ES512</Algorithm>
<Source>pingaccess_jwt</Source>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<TimeAllowance>120s</TimeAllowance>
<PublicKey>
<JWKS ref="calloutResponse.content"/>
</PublicKey>
</VerifyJWT>
In the trace I can see the value of the kid in the JWKS variable and it matches the value of the kid from the decoded jwt header in the flow. This is the first time verifying an ES type of signature. I never had to parse the JWKS for any of the other signatures I'm wondering if I have to do something different with JWKS or if my policy config is off?
Here are the values from the trace:
| jwt.JWT-Verify.header-json | {"kid":"2c","alg":"ES512"} |
|---|
| jwt.JWT-Verify.header-claim-names | [kid, alg] |
|---|
| jwt.JWT-Verify.header.kid | 2c |
|---|
| jwt.JWT-Verify.decoded.header.kid | 2c |
|---|
| jwt.JWT-Verify.header.algorithm | ES512 |
|---|
| jwt.JWT-Verify.decoded.header.alg | ES512 |
|---|
| jwt.JWT-Verify.signed | true |
|---|
| jwt.JWT-Verify.is_expired | false |
|---|
calloutResponse.content
{
"keys": [
{
"kty": "EC",
"kid": "2f",
"use": "sig",
"alg": "ES512",
"x": "AWNMBFYqbwYHMO1Zv9aYHyrIbXp4yFWJ5QiBuZ4yLMWyZPS7UhiuO0iwkE9gvyKQXI_6a0VXiiyk4NBhG4q9hKMH",
"y": "AQln3coV6WAf-wHoVaehovYio0Foys_6xC4U8UzLzo88fgCxVUW8QsYiEmQ_tSt50EUFAKggp8nt2X_GER2iVE4K",
"crv": "P-521"
},
{
"kty": "EC",
"kid": "2e",
"use": "sig",
"alg": "ES384",
"x": "OZd3IT_NRIgtJdPiErW7EA2FtSlizmdLNGpq65WjCZUA7EpVAVQDYRnVYQYYFIG2",
"y": "j4hRRaZ3BprvkyPF9NB2Kpxz1dr5jn9g9czJZ4znguB9GF989hNjCtlo00Ud2SRe",
"crv": "P-384"
},
{
"kty": "EC",
"kid": "2d",
"use": "sig",
"alg": "ES256",
"x": "kr2UZc2wKlw5szdFypPNvPx6bRhFanftadAfidt6TNo",
"y": "_OslA7C8NV6Psj2ohIE1j90BmBeVPmxwcvZcbSBROUk",
"crv": "P-256"
},
{
"kty": "EC",
"kid": "2c",
"use": "sig",
"alg": "ES512",
"x": "AN82cL5862dMJb9Xpc2NbUyeWJQ1ZXFn3Hh5UrmTiVDXw5TJBzA9vSf23pbdafjWfK2fmMlEsZvoVUpZIjkrvSVM",
"y": "AOxsGYubw7gfgkBonCZYQepwUxptQnzwwm2t7QsyiaPiSNuitig4bMsX-Fn51jMX96wv0Mel0RmyBb3TAKBk9yB6",
"crv": "P-521"
},
{
"kty": "EC",
"kid": "2b",
"use": "sig",
"alg": "ES384",
"x": "JPkD7llgmS-QbtzPSr-CZYPqHsg5_MiD5JhWjqPAmJqD1k3YuiYJd5pNggRdUs4s",
"y": "cUxzohl3jAWPc-kMkMSBW07IF2kn7My4RSxJ6J_cfUmp6TlSYHYsMbYyu31yH8VM",
"crv": "P-384"
},
{
"kty": "EC",
"kid": "2a",
"use": "sig",
"alg": "ES256",
"x": "cxATmhdy2XFmhLduY31M40Bu07BWG2V3Ir1BfqiMCaY",
"y": "0vMNiil72Ms7cIegxqd9iveSINegVT3g9m_G666YNI4",
"crv": "P-256"
},
{
"kty": "EC",
"kid": "29",
"use": "sig",
"alg": "ES512",
"x": "AAfuPBgdZI8TSrcMTr_T_CEd5NS0iVaVoOQLm5RsvCAWzqWieXPNoS0oqWc60RScSy-95UF0UMlXf35sE7JFcTQa",
"y": "AF-XqNeMFQtUV_-mcAlN90020BAOf6CLKumULq_SHKp0YLHq68M3Kncl-0GA7_fXdEMAYT1DyDkDgYS-32Y-sBho",
"crv": "P-521"
},
{
"kty": "EC",
"kid": "28",
"use": "sig",
"alg": "ES384",
"x": "wPWR927JlnSsZSZLGjsKjsx00pv6bI4ckB1_igpSTy5icB6SKhcaL6d9o1LUGh0p",
"y": "Xd-9dCwJ2gXXvJBeUNJQ50v3nxnO0_kJBADxaTCBKVVLFkPDWkS8Jk8hhJiaOU0s",
"crv": "P-384"
},
{
"kty": "EC",
"kid": "27",
"use": "sig",
"alg": "ES256",
"x": "_JvPT2ftA5t3KiNysEfYmMnrIXgcU8liAckXJpzDTaU",
"y": "2cs6FAkfvMJfCoiET8C6lH-VotMG5SP0KDY3hPU0jN8",
"crv": "P-256"
}
]
}
Thanks for your help.
LinkedIn
Twitter
