This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

what is the JWKS format supported in Apigee

Posted on 01-13-2021 08:43 PM
tattwadarsibisw
New Member
Reply posted on --/--/---- --:-- AM

Hi Team,

I generate JWKS using third party tool which is working fine in my layer 7 Gateway without any changes.

{
    "keys": [
        {
            "kty": "EC",
            "d": "7MJbpdnCfFODZApvMpjgtVrJsePt2_y-_D3wUkzlUvA",
            "use": "enc",
            "crv": "P-256",
            "kid": "demoid",
            "x": "qQy5GfBw9l3ArH-zH61gXtzTDmGZqjN6dAb-8IFpRE4",
            "y": "hm1rHBR4vwfJo8W2bH7Um_ui5UAfWj_1UbiMJPd7RlQ",
            "alg": "ES256"
        }
    ]
}

But code is working with JWKS which is copied from apigee community site

https://community.apigee.com/questions/86298/encrypting-jwt-using-jwks.html

{
  "keys": [{
    "kty": "RSA",
    "kid": "csrfJwtEncryptionKey",
    "use": "enc",
    "n": "vBZateaIP2zXRMC6_EthvUTjPISKizmfrQD543yH20rvgmoZomTfKD8YyCMVC9HdUXkBvDNeOtWGYOOy0VpFeDhuoKAu4jXkwZwZS3XDOA4BV5y9_BJo27d-ApVMZedvMnjmniR18NnNXFJQE5VWtx3aDO9RsmqMMd8D91E7V7Ty8xMd6rRnPWaW2vVRvRI1s-rInmepwq6mAWnNKZPDcrEvFRg9ThLVrYHd6bugz21jOATRrI9QuIb4WCNJ2XRlIOhfk1KfCFaKdACS71kxlQOvCOjEK4Kf6RojSk-hvqwqSkVHX4lfOxYTaOVlF6GJF7oqvMV3lIKSlMFfABC7FQ",
    "e": "AQAB"
  }]
}
0 6 368
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi, I'm not clear.

what is your specific question?

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

JWKS generated by your JWT token generator application. The secret normally looks like in JSON format. you need to configure that in apigee encrypted KVM and use for token validation in the policy.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to
Reply posted on --/--/---- --:-- AM

Hang on. JWKS is generally not a secret. JWKS are generally, but not always, public keys, and JWKS are typically made available on public URLs. It is not necessary to configure the JWKS in a KVM.

This answer is not contributing clarity.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

About JWKS

A JWKS is a JSON structure that represents a set of JSON Web Keys (JWKs). A JWK is a JSON data structure that represents a cryptographic key. JWK and JWKS are described in RFC7517. See JKWS examples at Appendix A. Example JSON Web Key Sets

JWKS structure

RFC7517 describes the JWKS key elements for each key type, such as "RSA" or "EC". For example, depending on the key type, these parameters can include:

  • kty - The key type, such as "RSA" or "EC".
  • kid (the key id) - Can be any arbitrary value (no duplicates within a key set). If the inbound JWT bears a key ID which is present in the set of JWKS, then the policy will use the correct public key to verify the JWS/JWT signature.

Following are examples of optional elements and their values:

  • alg - The key algorithm. It must match the signing algorithm in the JWS/JWT.
  • use - If present, must be sig.

The following JWKS includes the required elements and values and would be valid on Edge (from https://www.googleapis.com/oauth2/v3/certs😞

{  
   "keys":[  
      {  
         "kty":"RSA",
         "alg":"RS256",
         "use":"sig",
         "kid":"ca04df587b5a7cead80abee9ea8dcf7586a78e01",
         "n":"iXn-WmrwLLBa-QDiToBozpu4Y4ThKdwORWFXQa9I75pKOvPUjUjE2Bk05TUSt7-V7KDjCq0_Nkd-X9rMRV5LKgCa0_F8YgI30QS3bUm9orFryrdOc65PUIVFVxIwMZuGDY1hj6HEJVWIr0CZdcgNIll06BasclckkUK4O-Eh7MaQrqb646ghFlG3zlgk9b2duHbDOq3s39ICPinRQWC6NqTYfqg7E8GN_NLY9srUCc_MswuUfMJ2cKT6edrhLuIwIj_74YGkpOwilr2VswKsvJ7dcoiJxheKYvKDKtZFkbKrWETTJSGX2Xeh0DFB0lqbKLVvqkM2lFU2Qx1OgtTnrw",
         "e":"AQAB"
      },
      {
          "kty":"EC",
          "alg":"ES256",
          "use":"enc",
          "kid":"k05TUSt7-V7KDjCq0_N"
          "crv":"P-256",
          "x":"Xej56MungXuFZwmk_xccvsMpCtXmqhvEEMCmHyAmKF0",
          "y":"Bozpu4Y4ThKdwORWFXQa9I75pKOvPUjUjE2Bk05TUSt",
      }
   ]
}

ref: https://docs.apigee.com/api-platform/reference/policies/jwt-policies-overview#about-jwks

0 Likes

Posted on --/--/---- --:-- AM
tattwadarsibisw
New Member
In response to
Reply posted on --/--/---- --:-- AM

Do you see any problem with my JWKS? if so, what is your recommendation?

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

You showed two distinct JWKS, each with a single key.

The first has a key type (kty) of "EC", which means it is suitable for use with elliptic curve encryption algorithms .

The second has a kty of "RSA", which means it is suitable for use with RSA-based encryption algorithms.

There's nothing I can see that is "wrong" with either of the JWKS you showed .

0 Likes