@racheldeng wrote:
But how can I get a decrypted token from verifyjwt policy? There is no parameter in embedded policy
This is a demonstration of the GenerateJWT and VerifyJWT policies in Apigee , specifically showing ENCRYPTED JWT.
https://www.youtube.com/watch?v=uWsQkN1fY7Y
This screencast is from a few years ago, and shows the older, now out-of-date Apigee UI, but the policy in the current Apigee with the new UI works the same way.
If you watch it, you can see that after you use VerifyJWT to decrypt an encrypted token, your API proxy has access to the JSON hash that had been encrypted, and you can read all the properties in that JSON hash, and act on them.
You said "how can I get a decrypted token". If we are being careful with words, that is not quite a correct question to ask. An Encrypted JWT is itself a token. When you decrypt, you do not get a token out. You get a JSON payload out. The output is not a token, it's a JSON hash. There are properties contained within the hash. If you use VerifyJWT in Apigee to decrypt an encrypted JWT, you will get that JSON hash and you will have access to any of the claims or properties within the hash.
@racheldeng wrote:
There is no parameter in embedded policy
I'm sorry, I don't understand what you mean by that.
In your original question, you asked
@racheldeng wrote:
What’s the standard process for APIGEE handle an encrypted and signed token?
THAT is a different question. When I hear people use the phrase "encrypted and signed token" , most often I think people are referring to a signed JWT, which is then wrapped into a JWE. a JWE is not the same as an encrypted JWT.
Let me take a step back
- JWT has two variants: signed and encrypted. The JWT and these variants are defined in IETF RFC 7519
- most often when people use the term "JWT" they refer to signed JWT. It is by far the more commonly used variant. Many people are not even aware that there is such a thing as "encrypted JWT". IDPs like Okta or Entra or Google Identity... issue signed JWT.
- Signing and encrypting in JWT are defined in JWS (IETF RFC 7515) and JWE (IETF RFC 7516), respectively
- The signed JWT is a special form of JWS, in which the signed payload is a JSON hash. In the general case, a JWS can sign "anything", it does not need to be JSON.
- the encrypted JWT is a special form of JWE, in which the encrypted payload is a JSON hash. In the general case, a JWE can encrypt "anything", the payload does not need to be JSON.
- Apigee has built-in policies to handle signed JWT or encrypted JWT
- Apigee has built-in policies to handle JWS
- Apigee does not have built-in policies to handle general-case JWE. You need to use a custom policy to handle this.
So, if you have a JWE wrapping a signed JWT, and you want Apigee to process it, you should
- use the custom policy to decrypt the JWE - https://github.com/DinoChiesa/Apigee-CustomPolicy-EncryptedJWT
- get the JWT that is the payload
- use the builtin policy to verify the signature on the signed JWT
..and it is up to you to manage the keys and to figure out which key to use for which crypto operation.
Here is an example showing that: https://github.com/DinoChiesa/Apigee-JWE-Wrapping-Signed-JWT-Sample
and here's a screencast of me walking through that example: https://youtu.be/MxvjI2COwMs
LinkedIn
Twitter
