This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

steps.jwt.noMatchingPublicKey when trying to validate a EC256 signed JWT tocken using JWKS

Posted on 05-20-2022 07:58 AM
JulienSdx
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

We are trying to implement the validation of a JWT signed using a ES256 algorithm

The header look like this :

{"alg":"ES256","typ":"at+jwt","kid":"MyKeyID"}

the JWKS looks like this:

{
"keys": [{
"kty": "EC",
"use": "sig",
"kid": "MyKeyId",
"alg": "ES256",
"crv": "P-256",
"x": "[...]",
"y": "[...]"
}, [...] ]}
despite all of our effort we always get the error : steps.jwt.noMatchingPublicKey
 
Our JWT validation step is configured as follows :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-SodexoConnect-JWT">
<DisplayName>Verify SodexoConnect JWT</DisplayName>
<Algorithm>ES256</Algorithm>
<PublicKey>
<JWKS ref="public.key"/>
</PublicKey>
<Issuer>https://[...]</Issuer>
<Audience>https://[...]</Audience>
</VerifyJWT>

When we trace the call the KeyID seems correctly identified but we still get the steps.jwt.noMatchingPublicKey error.

What did we miss ?

Solved Solved
0 1 580
Topic Labels
Jump to Solution
0 Likes
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Sorry about that.

There is a logic error in the key selection for ES256, in Apigee EDGE (internal reference b/195619555).  This bug has been fixed in hybrid and X, but the fix apparently has not yet been released in Apigee EDGE. Basically, the error is: the policy fails to select a matching key, if the kty is EC, and the "use" field is present in the JWK. (Don't ask)

So the workaround is to eliminate the "use" field in the JWK.  If you don't control the JWK you cannot do it directly. So a possible way to do it is to introduce a proxy between your policy and the JWKS endpoint, which manipulates the JWKS payload and strips out the "use" field.  You would probably use a JavaScript callout to do that payload modification.  It would look like this: 

// modify the payload of a JWKS to remove the "use" fields in each EC key
var payload = JSON.parse(context.getVariable('response.content'));
payload.keys.forEach(function(jwk) { 
  if (jwk.use && jwk.kty == 'EC') { delete jwk.use; }
});
context.setVariable('response.content', JSON.stringify(payload));

Another way to solve the problem is to use a ServiceCallout within your proxy to retrieve the JWKS, and then do the same modification, and refer to the modified JWKS in the VerifyJWT policy (instead of pointing to a JWKS uri). But you'd want to cache the result of that ServiceCallout, which means 6-7 policies.  It seems easier to me, to just wrap the modification of the JWKS into a separate proxy. When VerifyJWT retrieves a JWKS from a URI, it automatically caches it, so you wouldn't need to do it if you used the proxy-the-JWKS-endpoint approach. 

I think you can probably search here on community to find prior reports of this problem....  and maybe see what other people did to solve it.

View solution in original post

Jump to Solution
0 Likes
Reply
1 REPLY 1
Top Solution Authors
View all