error verifying jwt

Google Cloud Apigee
,
1

Hello @dchiesa1 @kurtkanaskie ,

we’re getting below error for verify jwt policy

jwt.VJWT-Sample.error

Payload of JWE object is not a valid JSON object

error.class

com.apigee.steps.jwt.verify.VerificationException

this is how we configure the policy for decrypting the inbound token:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT continueOnError="false" enabled="true" name="VJWT-Sample">
    <DisplayName>VJWT-Sample</DisplayName>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <Algorithms>
        <Key>ECDH-ES+A256KW</Key>
        <Content>A256GCM</Content>
    </Algorithms>
    <Source>resource_response</Source>
    <PrivateKey>
        <Value ref="private.ec_privatekey"/>
    </PrivateKey>
    <TimeAllowance>86400s</TimeAllowance>
</VerifyJWT>

the assign message that we use for verify jwt:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage continueOnError="false" enabled="true" name="AM-ResourceDecryptionUsingPrivateKey">
    <DisplayName>AM-ResourceDecryptionUsingPrivateKey</DisplayName>
    <AssignVariable>
        <Name>private.ec_privatekey</Name>
        <Value>-----BEGIN PRIVATE KEY-----
MIGHAgEAMBNMBBbhjvjhg5675BHJGJHVJB7856GHJGHGBJKLJKLJLKJ87895/YZ9G
jhghjkgHJGHJGJHVBHJB79678VHJG678B8668b68B67B667GV67GG6BYJLBLLVLHV
9ySLIuvcYqd3qNzW9jB8MXchP4mgD9wtIvkUop76JOAdbSNVY8EBkeUd
-----END PRIVATE KEY-----</Value>
    </AssignVariable>
<AssignVariable>
        <Name>resource_response</Name>
       <!-- this is retrieved after the token call -->
<Value>eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJraWQiOiI4Smk5UHRTWS1wM1h0SHFfOWJBOWhUX1dt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiX1B5RGtzdHN4RTZadlhhUVpiT04wMm.....uzONYHrZEx8pTLMw</Value>
    </AssignVariable>
</AssignMessage>

note: the values provided are not the actual values that we use.

{
    "fault": {
        "faultstring": "Invalid token: policy(VJWT-Sample)",
        "detail": {
            "errorcode": "steps.jwt.InvalidToken"
        }
    }
}

We also check the token along with the private key using this tool: Online JWT tool which worked and we got the decoded payload and we saw the actual json. So I’m not sure what is wrong on the vjwt policy.

If there’s something that I’m missing, please let me know. Thank you.

Also, I’ve looked from this pages as well:
Does APIGEE supports JWE and Encryption? - Google Cloud Community
How to decode the encrypted JWE token using the EC… - Google Cloud Community
Solved: JWT verification failing in Apigee for azure b2C t… - Google Cloud Community

4 Likes
2

OK I understand what you wrote but I won’t be able to help diagnose this, not having access to the JWT.

The VerifyJWT policy will handle encrypted JWT.

Encrypted JWT is a special case of JWE. If you pass a JWE in place of an encrypted JWT, then… you may get the error you described.

I just tried this and reproduced what you reported.

To read more on this, see here: https://www.googlecloudcommunity.com/gc/Apigee/What-is-the-difference-between-a-JWE-and-an-encrypted-JWT/m-p/410230

3 Likes
3

@dchiesa1 , thank you for responding. From what I understand, there is no support for external callouts when using the ECDH algorithm. Please correct me if I’m mistaken.

So you see, Apigee has built-in support for “encrypted JWT”, which is to say, for JWT that are encrypted according to the JWE spec. Another way to say it is, Apigee has support for JWE, only if the encrypted thing is a JSON object. But Apigee does not have built-in support for JWE in general. For that you need to use the external callout, which is limited in that it supports only RSA-based crypto algorithms.

To add to what I’ve tried using the token retrieved this is what I got from trying your tool

CharK_0-1717034715275.png
CharK_0-1717034715275.png842×484 9.15 KB

then I provided the private key, this is what I got:

CharK_1-1717034793903.png
CharK_1-1717034793903.png837×320 14.2 KB

and trying the decoded payload results to this json payload

CharK_2-1717034898042.png
CharK_2-1717034898042.png833×482 8.36 KB

2 Likes
4

Upon checking for the java callout, it seems it support only RSA. The encryption that we received from the provider is ECDH in similar.

2 Likes
5

yes - support for ECDH keys can be a feature request for the Java callout. Specifically which Java callout are you using? Can you point me to the repo? is it this one: https://github.com/DinoChiesa/Apigee-CustomPolicy-EncryptedJWT ?

EDIT: I updated that callout to support ECDH crypto.

(Also, support for JWE ought to be a feature request for the Apigee built-in policy as well!)

4 Likes
6

I see… so if I understand correctly, this is a JWE that uses ECDH-ES+A256KW, which encrypts a payload which itself is a serialized, signed JWT. That JWT is signed with ES256.

3 Likes
7

I can work on that as an enhancement. I can’t tell you specifically when I’ll finish with that.

3 Likes
8

Hi Dino,

No problem on this one. Yea it would be best for us using a java or custom policy to decrypt this. Currently we are using a Cloud Function to do this necessary process.

3 Likes
9

Try the latest version of the callout - it does ECDH.

4 Likes
10

Thanks for this Dino, we will sure try this one to reduce the call from an external cloud function. Will let you know if it turns out to be okay.

Thanks again

2 Likes
11

Hello @dchiesa1 ,

Thanks for the latest version of the callout!

I already tried it and during the testing on different proxies, I experienced both success and an error. Here’s a breakdown of how I’m using it (please let me know if I’m doing anything incorrectly. Your help is greatly appreciated!).

Regarding the error, here’s what I’m getting:

from the debug of Proxy1:

CharK_1-1718009005000.png
CharK_1-1718009005000.png1531×674 33.3 KB

jwe_exception : java.lang.IllegalStateException: that key-encryption algorithm name is unsupported.
jwe_error : that key-encryption algorithm name is unsupported.

Here’s the policy config on Proxy1:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout continueOnError="false" enabled="true" name="JC-VerifyJWE-MyInfoV4">
    <DisplayName>JC-VerifyJWE-MyInfoV4</DisplayName>
    <Properties>
        <Property name="key-encryption">ECDH-ES+A256KW</Property>
        <Property name="source">response.content</Property>
        <Property name="private-key">{private.private-enc-key}</Property>
    </Properties>
    <!-- Verify a JWE containing a non-JSON payloads -->
    <ClassName>com.google.apigee.callouts.VerifyJwe</ClassName>
    <ResourceURL>java://apigee-callout-encrypted-jwt-20240603.jar</ResourceURL>
</JavaCallout>

Then, on Proxy 2, I tested it using the same properties and successfully obtained a JWE payload, which was successfully decrypted in the next policy.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout continueOnError="false" enabled="true" name="JC-VerifyJWE">
    <Properties>
        <Property name="key-encryption">ECDH-ES+A256KW</Property>
        <Property name="source">response.content</Property>
        <Property name="private-key">{private.private-key}</Property>
    </Properties>
    <!-- Verify a JWE containing a non-JSON payloads -->
    <ClassName>com.google.apigee.callouts.VerifyJwe</ClassName>
    <ResourceURL>java://apigee-callout-encrypted-jwt-20240603.jar</ResourceURL>
</JavaCallout>

from the debug of Proxy2:

CharK_0-1718008858620.png
CharK_0-1718008858620.png1749×723 196 KB

I also verified the tokens from both Proxy 1 and Proxy 2 using their respective private-key encryption with the Online JWT Tool to ensure that the key encryption used was correct, which it was. Therefore, I’m unsure why I encounter an error on Proxy1.

2 Likes
12

That’s interesting. I don’t have any good ideas why you would see a difference in behavior between one proxy and the next. It seems to me that you have exactly the same configuration as far as key encryption.

The I can suggest is to undeploy, and possibly delete, proxy 1. Then re-import that proxy and redeploy it.

3 Likes