I'm trying to implement JWT signing using DinoChiesa's code: https://github.com/apigee/iloveapis2015-jwt-jwe-jws/tree/master/jwt_signed/callout
However, when I call the service I get the following error: com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalArgumentException: The shared secret size must be at least 256 bits
How can I fix this?
I've added the following JAR files:
And my policy is like this:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <JavaCallout async="false" continueOnError="false" enabled="true" name="Java-Generate-JWT"> <DisplayName>Java Generate JWT</DisplayName> <Properties> <Property name="algorithm">HS256</Property> <Property name="secret-key">secret</Property> <!-- standard claims --> <!--<Property name="subject">http://dinochiesa.net</Property>--> <!--<Property name="issuer">ApigeeEdge-{organization.name}-{environment.name}-{request.path}</Property>--> <!--<Property name="audience">{apiproxy.name}</Property>--> <Property name="expiresIn">86400</Property> <!-- in seconds --> <!-- custom claims --> <Property name="cc1">1</Property> <Property name="cc2">2</Property> </Properties> <ClassName>com.apigee.callout.jwtsigned.JwtCreatorCallout</ClassName> <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.6.jar</ResourceURL> </JavaCallout>
Solved! Go to Solution.
You are using "secret" as your password. You need something at least 32 characters long.
So try "secret01234567890ABCDEFGHIJKLMNO"
or... ideally you will using something random for the secret key.
You are using "secret" as your password. You need something at least 32 characters long.
So try "secret01234567890ABCDEFGHIJKLMNO"
or... ideally you will using something random for the secret key.
The key my client generates is 20 characters.
Can I change the minimum in the code? And if so, where?
The JWT library that is doing the signing is Nimbus.
That is where the restriction is happening. It's not in any code I've written, not anywhere you could change it.
When you say "the key my client generates"... how is that happening? How is the secret being generated and shared?
Are you using the key + secret in the Apigee Developer app? If so you can get a 32-char secret out of that system.
We have a client which uses apigee and shared client key for hs256 jwt and it fails with same exception. How do we inform/get 32 char secret from apigee?
You can file a request with Apigee support via the support portal. Ask them to set the org property
keymanagement.consumer.secret.length
...to at least 43. (for Entropy requirements)
Will try to request and educate on the vulnerabilities but curious question on the way apigee policy with generate jwt does allow but via java code (github) is fails..Does both uses diff JWT library one is more relaxed and does generates and other fails(which is more good in meeting the requirements -https://tools.ietf.org/html/rfc7518#section-3.2). Or it is not mandating but more of recommendaition?
The Apigee builtin policy extends the secret key with zeros, as per the specification on HMAC. So ... it complies with the technical requirements, but ... it does not _enforce_ good key standards
The Java callout delegates to a third-party library which does enforce key length requirements.