Apigee JWT Verification not working when using public JWKs

akash3664 · October 12, 2023, 9:11pm

I have simple VerifyJWT policy listed below, I am passing ID Token (obtain from google oauth2 playground after using google SSO flow for my user account) in the authorization header(i.e. Bearer ) and seeing below Error. Am I missing something?

Error:

{“fault”:{“faultstring”:“Invalid token: policy(JWT-Verify)”,“detail”:{“errorcode”:“steps.jwt.InvalidToken”}}}

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="JWT-Verify">
    <DisplayName>JWT-Verify</DisplayName>
    <Algorithm>RS256</Algorithm>
    <Source>request.header.Authorization</Source>
    <PublicKey>
        <JWKS uri='https://www.googleapis.com/oauth2/v3/certs'/>
    </PublicKey>
</VerifyJWT>

dchiesa1 · October 16, 2023, 5:02pm

Try removing the Source element? The documentation states that the element is not “necessary” when the token is passed as a bearer token in the Authorization header. What the documentation does not say, is that if you specify a Source element, then , the policy does not look for or strip a Bearer prefix. Therefore when you specify

  <Source>request.header.Authorization</Source>

…the policy will try to parse the entire value in the Authorization header as a token. If you supply a Bearer prefix, that parse will fail.

I suspect that is the problem.

I’ll get the documentation updated to state this clearly.

akash3664 · October 16, 2023, 8:44pm

Thanks for the answer @dchiesa1 . I can confirm your suggestion worked.

Topic		Replies	Views
Verify JWT token by using the public key via url Apigee api-runtime	6	30	April 1, 2022
Firebase auth checking with verify-jwt Apigee api-runtime	8	18	August 6, 2019
verify JWT public key hard code in the configuration. Apigee api-runtime	2	9	February 7, 2019

Apigee JWT Verification not working when using public JWKs

AI Suggested topics