This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

VerifyJWT - fails with NullPointerException

Posted on 11-13-2024 04:37 PM
tcavaleiro
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi community,

we have built a JWT validation flow that does all the standard steps to validate a RS256 token.

LookupCache - retrieve JWKS from cache
ServiceCallout - conditional,  get from jwk_uri if no match on cache
PopulateCache - conditional, update cache 
AssignMessage - conditional, if not from cache copy to variable
VerifyJWT - fails with NullPointerException

Because we thought the issue was related with our internal flow we have made a change to use directly VerifyJWT with an URI but still fails.

When tracing, we can see the keys have been download but the policy is failing with NullPointerException.

Below logs from Message Processor

2024-11-xx aa:bb:cc,005 org:ABC env:abc-DEV api:dummyTest2 rev:10 messageid:<removed>-4286-44484-18 policy:VJ-CheckAuthToken NIOThread@3 ERROR STEPDEFINITIONS.JWT - VerifyJWTStepExecution.verifyJwt() : Exception while verifying JWT {}
java.lang.NullPointerException: null
at com.apigee.steps.jwt.verify.jwt.VerifyJWTStepExecution.verifyJwt(VerifyJWTStepExecution.java:357)
at com.apigee.steps.jwt.verify.jwt.VerifyJWTStepExecution.execute(VerifyJWTStepExecution.java:135)
(...)


Other points noticed:

- if we supply an expired JWT it will throw the expected steps.jwt.TokenExpired error

- when supplying a  valid JWT the NPE will be raised

- the JSON returned by the jwk_uri is a valid json, although we noticed the "alg" property is not been defined, can this be a mandatory field on the Apigee end? meanwhile the provider added the field but still fails

- we are using Apigee OPDK Version 4.52.00.00

Thank you.

 

 

Solved Solved
0 7 266
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to tcavaleiro
Reply posted on --/--/---- --:-- AM
@tcavaleiro wrote:

I start to suspect this is related to json_claims on AdditionalClaims. We are currently troubleshooting bit more to reach a conclusion, but we might have found something related to this.

yes, you are correct.  I'm sorry , last night when I looked at this, I had missed it.  But it is not related to the JWKS.  It's related to the additional claims. If you remove that, it will probably work.  

@tcavaleiro wrote:

the support portal (although it allows to log in) is not allowing to create a ticket,

You need to be using https://console.cloud.google.com/support to report support tickets now .  Even if you are using OPDK, you must use console.cloud.google.com for the support portal. That means you need a GCP organization and project set up, and a billing account. 

If you do not have all of this set up, please send an email to saas-support-onboarding@google.com  and ask for assistance. 

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7
Top Solution Authors
View all