This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Question about VerifyJWT policy

Posted on 05-29-2024 08:44 AM
soupfrequent123
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

We are using the VerifyJWT policy to decrypt the content . This is our current configuration below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT continueOnError="false" enabled="true" name="VJWT-policy">
<DisplayName>VJWT-policy</DisplayName>
<Algorithms>
<Key>ECDH-ES+A256KW</Key>
</Algorithms>
<Source>variable_containing_the_jwe</Source>
<PrivateKey>
<Value ref="private.encryption-key"/>
</PrivateKey>
</VerifyJWT>

We ensure that all of our steps before this are correct and we verify most on the requirements are met. 

I have verified the keys used on this process for both the public/private key using an online jwt tool and I am able to decrypt/verified it properly. But in Apigee we are getting this InvalidToken error and this is an error from the debug: Payload of JWE object is not a valid JSON object

Anyone has verified/decrypt a ECDH-ES+A256KW before? 

Thanks!

Solved Solved
3 2 128
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Have you seen this question?

Maybe you two are working together? 

The short answer is Apigee's builtin policies handle encrypted JWT, but not the general case of JWE, at this time. 

If you want the general case of JWE, you need to resort to a Java callout. 

See the answer linked to the Q above for more details.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Have you seen this question?

Maybe you two are working together? 

The short answer is Apigee's builtin policies handle encrypted JWT, but not the general case of JWE, at this time. 

If you want the general case of JWE, you need to resort to a Java callout. 

See the answer linked to the Q above for more details.

Jump to Solution

Posted on --/--/---- --:-- AM
soupfrequent123
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Ahh yes this is similar. I'll just reply from that thread. But yes upon checking VerifyJWT does not support yet the general decryption at the moment. So we will use an OOB for this maybe a cloud function to do the decryption/decoding of the token. Thanks!

Jump to Solution
Top Solution Authors
View all