Re: 401 error on generating a jws

Char-K · 05-20-2024 08:19 PM

Hello,

I'm currently getting this error below:

and below is the configuration for the generate jws policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateJWS continueOnError="false" enabled="true" name="GJWS-GenerateDPoPProofJWT">
    <DisplayName>GJWS-GenerateDPoPProofJWT</DisplayName>
    <Type>Signed</Type>
    <Algorithm>ES256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <PrivateKey>
        <Value ref="private.private-key"/>
    </PrivateKey>
    <!--<ExpiresIn>30m</ExpiresIn>    -->
    <AdditionalHeaders>
        <Claim name="typ">dpop+jwt</Claim>
        <Claim name="jwk">header</Claim>
    </AdditionalHeaders>
    <Payload ref="payload"/>
    <OutputVariable>authHeader</OutputVariable>
</GenerateJWS>

javascript policy for building the payload and headers for signing:

// For generating DPoP header
function generateHeader(){
    var url = context.getVariable("URL") + "/token";
    print(url);

    var jwksPayload = JSON.parse(context.getVariable("jwks")); // Retrieve JWKS from KVM
    var jwk = jwksPayload.keys[0];
    print(jwk);
    var header = {
        "jwk": {
            "kty": jwk.kty,
            "kid": jwk.kid,
            "crv": jwk.crv,
            "x": jwk.x,
            "y": jwk.y,
            "use": jwk.use,
            "alg": "ES256",        
        },
        "alg": "ES256"    
    };
    return header;
}

// For generating DPoP payload
function generatePayload(){
    var url = context.getVariable("URL") + "/token";
    var jti = context.getVariable("uuid");
    var currentTime = Math.floor(Date.now() / 1000);
    var payload = {
        "htu": url,
        "htm": "POST",
        "jti": jti,
        "iat": currentTime,
        "exp": currentTime + 120
    };
    return payload;
}

var header = generateHeader();
var payload = generatePayload();
context.setVariable("header", JSON.stringify(header));
context.setVariable("payload", JSON.stringify(payload));
print(header);
print(payload);

to add, this is the desired output or structure for the header of the dpop+jwt based on: DPoP Proof JWT Syntax

{
  "typ":"dpop+jwt",
  "alg":"ES256",
  "jwk": {
    "kty":"EC",
    "x":"l8tFrhx-34tV3hRICRDY9zCkDlpBhF42UQUfWVAWBFs",
    "y":"9VE4jf_Ok_o64zbTTlcuNJajHmt6v9TDVrU0CdvGRDA",
    "crv":"P-256"
  }
}

which is I am unable to produce.

would like to know what I'm doing wrong here? thanks! @dchiesa1 @kurtkanaskie @sidd-harth @anilsr

dchiesa1

It seems the policy is preventing you, at runtime, from setting the jwk element specifically.

So if you need that... you'd need to file a feature request .

I don't know why that element is being prohibited.

Char-K

Hello @dchiesa1,

Yes, you're right—it appears to be an issue with the feature. However, after attempting a different approach, I found a solution. I used an Assign Message to create an assign variable to make a JWK object with the type set to map. After that, it worked perfectly. The generated token no longer contains escaped characters and now looks like this:

{
  "typ":"dpop+jwt",
  "alg":"ES256",
  "jwk": {
    "kty":"EC",
    "x":"l8tFrhx-34tV3hRICRDY9zCkDlpBhF42UQUfWVAWBFs",
    "y":"9VE4jf_Ok_o64zbTTlcuNJajHmt6v9TDVrU0CdvGRDA",
    "crv":"P-256"
  }
}

from AM Policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage continueOnError="false" enabled="true" name="AM-SetDPoPJWTHeade">
    <DisplayName>AM-SetDPoPJWTHeader</DisplayName>
    <Properties/>
    <AssignVariable>
        <Name>jwkHeader</Name>
        <Ref>jwk_dpop_header</Ref> <!-- I just retrieved the jwk header from the previous js policy in the same flow -->
    </AssignVariable>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</AssignMessage>

I updated this part as well from the GenerateJWS Policy:

    <AdditionalHeaders>
        <Claim name="typ">dpop+jwt</Claim>
        <Claim name="jwk" ref="jwkHeader" type="map"/>
    </AdditionalHeaders>

dchiesa1

Brilliant!