creating your own jwk in Apigee

Char-K · May 22, 2024, 12:54am

Hello again @dchiesa1 ,

I have another question: can the following process of creating an ephemeral key pair for use in DPoP JWT signing be implemented in Apigee?

Scenario: Client application generates an ephemeral (One time) keypair on each API request.

Note: Please ensure a new ephemeral keypair is generated on each request to ensure DPoP Proof is always unique per transaction.

Ephemeral public key (JWK)
Ephemeral private key

With the following information:

alg: ES256
use: sig

Thank you.

dchiesa1 · May 22, 2024, 4:12pm

I wrote up how to do a RFC7800 POP token using Apigee a long while ago.

https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/POP-Using-JWT-to-prove-possession-of-a-key/ta-p/75953

and published a repo

https://github.com/DinoChiesa/Apigee-Proxy-JWT-POP

As I understand the POP flow, it is the PRESENTER (CLIENT) that creates the ephemeral keypair. Then the presenter publishes the corresponding public key, to facilitate the proof-of-possession protocol.

If Apigee IS NOT acting as the presenter, then you do not need Apigee to create an ephmeral keypair. If Apigee IS the presenter, then you DO need to do that, and I suppose if I were doing that, I would use a Java callout for that purpose.

Topic		Replies	Views
JWT vs PoP JWT Apigee apigee-general	5	1	August 9, 2019
Support for JWT token? Apigee api-runtime	11	21	November 17, 2016
Can Apigee generate key pair – private key and public key? Apigee api-runtime	8	9	October 23, 2020

creating your own jwk in Apigee

AI Suggested topics