This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

creating your own jwk in Apigee

Posted on 05-21-2024 05:54 PM
Char-K
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello again @dchiesa1,

I have another question: can the following process of creating an ephemeral key pair for use in DPoP JWT signing be implemented in Apigee?

Scenario: Client application generates an ephemeral (One time) keypair on each API request.

Note: Please ensure a new ephemeral keypair is generated on each request to ensure DPoP Proof is always unique per transaction.

  • Ephemeral public key (JWK)
  • Ephemeral private key

With the following information:

  • alg: ES256
  • use: sig

Thank you.

Solved Solved
5 1 212
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I wrote up how to do a RFC7800 POP token using  Apigee a long while ago. 

https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/POP-Using-JWT-to-prove-possession-of-... 

and published a repo

https://github.com/DinoChiesa/Apigee-Proxy-JWT-POP

As I understand the POP flow, it is the PRESENTER  (CLIENT) that creates the  ephemeral keypair.  Then the presenter publishes the corresponding public key, to facilitate the proof-of-possession protocol.

If Apigee IS NOT acting as the presenter, then you do not need Apigee to create an ephmeral keypair.  If Apigee IS the presenter, then you DO need to do that, and I suppose if I were doing that, I would use a Java callout for that purpose.

 

View solution in original post

Jump to Solution
1 REPLY 1
Top Solution Authors
View all