This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

VerifyJWT using a token generated from .NET, System.IdentityModel.Tokens.Jwt

Posted on 04-24-2018 01:55 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi all,

I have been trying to configure my policy to validate an external JWT, but it is failing the validation saying

"The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA256".

I have tested the JWT token on JWT.IO and all looks okay there.

I am at a loss! I wish Apigee would have told me more in the error message.

I am creating JWT using HS256 algorithm, using Microsoft's System.IdentityModel.Tokens.Jwt .Net library.

For example, this JWT has been created by the same algorithm:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6Im1pcyIsIm5iZiI6MTUyNDU1NzkyNCwiZXhwIjoxNTUzNTg4MzI0LCJpYXQiOjE1MjQ1NTc5MjR9.7YjJNl2b4f8J6zoVETw9kQnO
C6W9FxZQTECL9mXzgBE

The above JWT will be valid for a few days, if someone can try this out.

Help! Please let me know if you want more information.

This is my first message on these forums, so please help me provide more information in this context.

Calling out to @Omid Tahouri, @Dino.

Regards,

Rahul Kumar

Solved Solved
0 7 11.5K
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I've looked and it works for me here. When using .NET libraries to create a HS256 token, I can validate the token using the Apigee Edge policy.

The .NET code I used to generate the token is like this: 

      void Run() {
        var now = DateTime.UtcNow;
        var securityKey = new Microsoft.IdentityModel.Tokens.
          SymmetricSecurityKey(Encoding.UTF8.GetBytes(_passphrase));
    
        var signingCredentials = new Microsoft.IdentityModel.Tokens.SigningCredentials(securityKey, "HS256");
        var header = new JwtHeader(signingCredentials);
        var payload = new JwtPayload
        {
          { "unique_name", _name },
          { "scope", "https://apigee.com/example"},
          { "iat", RenderAsEpoch(now)},
          { "nbf", RenderAsEpoch(now)},
          { "exp", RenderAsEpoch(now.AddSeconds(_expiry))}
        };
        var secToken = new JwtSecurityToken(header, payload);
        var handler = new JwtSecurityTokenHandler();
        var tokenString = handler.WriteToken(secToken);
        Console.WriteLine("\ntoken:\n" + tokenString);
        
        var decodedToken = handler.ReadToken(tokenString);
        Console.WriteLine("\nDecoded: \n"+ decodedToken);
      }

Full code here.

This is my policy configuration. 

<VerifyJWT name="Verify-JWT-HS256-BasicNoAudience">
    <Algorithm>HS256</Algorithm>
    <Source>inbound.jwt</Source>
    <SecretKey>
        <Value ref="private.secretkey"/>
    </SecretKey>
</VerifyJWT>

Initially I saw a verification failure. Upon further review, I had a mistake in the policy configuration. I had an incorrect value in the Secret key. When I verified the key was what I thought it was, it worked just fine.

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7