Solved: Use of B64 (base64) encoded keys in VerifyJWT poli... - Page 2

seancochrane · 12-22-2020 04:25 AM

We need to verify a JWT Token using a key which has been encoded to B64. We cannot decode the key and use the string because it contains non-printable characters (hence why it is more secure than a plain text key).

However, the JWT verify policy does not support this - adding the char refs fails because the XML does not support v1.1 with control chars - even if I feed in the decoded byte array from a javascript routine it does not work.

JWT.io shows how to support use of B64 encoded keys to verify JWT signatures - so is this an Apigee shortcoming? or is there a way of feeding in a key to the XML which B64 decodes to non-printable?

dchiesa1

is there a way of feeding in a key to the XML which B64 decodes to non-printable?

Can you try this?

<VerifyJWT name='whatever'>
  <Algorithm>HS256</Algorithm>
  <SecretKey encoding='base64'>
    <Value ref='private.secret_key_base64encoded'/>
  </SecretKey>
  ...

Permitted values for encoding are: hex, base16, base64, base64url. The first two are synonyms. If no encoding attribute is present, then the key Value is decoded into bytes as a utf-8 string. Interestingly, utf-8 is not one of the valid values you can use for encoding attribute. (This seems like a bug to me)

I tried to do the B64 decode using javascript and feed into a variable...it does not work...

I suppose this fails because JavaScript context.setVariable() may coerce things to a string. Or, ... it's a Javascript array, which the VerifyJWT policy does not handle.

View solution in original post

Use of B64 (base64) encoded keys in VerifyJWT policy