Integrating Apigee proxy URL to validate JWT from Azure AD

Google Cloud Apigee
1

Hi Team,

We are using Azure AD to authenticate user in our back end Application by JWT token, same functionality we want to implement using Apigee proxy URL to access our back end application using Azure AD JWT token but we are getting following error “Invalid serialized JWE object: Missing fourth delimiter”

Pease see below screenshot :

Below is our policy configuration

Sanket_kokne_0-1672739950588.png
Sanket_kokne_0-1672739950588.png740×365 36.9 KB

Step 1: First policy is to fetch the key details from public faced URL (Azure AD):

Sanket_kokne_1-1672740125836.png
Sanket_kokne_1-1672740125836.png779×299 33.3 KB

Step 2 : In second policy we are caching response from the step 1.

Sanket_kokne_2-1672740351731.png
Sanket_kokne_2-1672740351731.png682×329 32.7 KB

Step 3: In Third policy we are performing the cache lookup operation

Sanket_kokne_3-1672740467277.png
Sanket_kokne_3-1672740467277.png788×298 32.1 KB

Step 4: In fourth policy we are removing the keyword “Bearer” from client request header and retaining the JWT token.

Sanket_kokne_4-1672740627206.png
Sanket_kokne_4-1672740627206.png736×336 30.9 KB

Step 5 : In fifth policy we are trying to verify the token with the cache public key from step 3.

Sanket_kokne_6-1672741195676.png
Sanket_kokne_6-1672741195676.png799×279 26.6 KB

Now we are using postman to hit proxy URL and using JWT token generated by our Azure AD.

This is our response :

{
“fault”: {
“faultstring”: “Invalid token: policy(Verify-JWT-1)”,
“detail”: {
“errorcode”: “steps.jwt.InvalidToken”
}
}
}

Please help us to know if any configuration changes required in our policy or any more details needed.
Thank you !

2

Have you considered using the PublicKey/JWKS element of the VerifyJWT policy? It will retrieve and cache (300 secs) the JWKS from a public URI for you. Also, when validating a JWT, Apigee will by default, retrieve the JWT from the Authorization header - including stripping the Bearer prefix.

I’m thinking you could replace your current flow policies with a single VerifyJWT policy. For example, the below VerifyJWT policy will validate a JWT from Google Identity using its public JWKS:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT name="JWT-Verify-RS256">
    <Algorithm>RS256</Algorithm>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <PublicKey>
        <JWKS uri="https://www.googleapis.com/oauth2/v3/certs"/>
    </PublicKey>
    <Subject>some-subject</Subject>
    <Issuer>https://accounts.google.com</Issuer>
    <Audience>some-audience</Audience>
</VerifyJWT>