JWT Verification ES512 alg

Hi , My JWT Verification is failing, with this error:

the policy config:

<VerifyJWT>
  <DisplayName>JWT-Verify</DisplayName>
  <Algorithm>ES512</Algorithm>
  <Source>pingaccess_jwt</Source>
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> 
  <TimeAllowance>120s</TimeAllowance>
  <PublicKey> 
    <JWKS ref="calloutResponse.content"/> 
  </PublicKey> 
</VerifyJWT>

In the trace I can see the value of the kid in the JWKS variable and it matches the value of the kid from the decoded jwt header in the flow. This is the first time verifying an ES type of signature. I never had to parse the JWKS for any of the other signatures I’m wondering if I have to do something different with JWKS or if my policy config is off?

Here are the values from the trace:

calloutResponse.content

{
    "keys": [
        {
            "kty": "EC",
            "kid": "2f",
            "use": "sig",
            "alg": "ES512",
            "x": "AWNMBFYqbwYHMO1Zv9aYHyrIbXp4yFWJ5QiBuZ4yLMWyZPS7UhiuO0iwkE9gvyKQXI_6a0VXiiyk4NBhG4q9hKMH",
            "y": "AQln3coV6WAf-wHoVaehovYio0Foys_6xC4U8UzLzo88fgCxVUW8QsYiEmQ_tSt50EUFAKggp8nt2X_GER2iVE4K",
            "crv": "P-521"
        },
        {
            "kty": "EC",
            "kid": "2e",
            "use": "sig",
            "alg": "ES384",
            "x": "OZd3IT_NRIgtJdPiErW7EA2FtSlizmdLNGpq65WjCZUA7EpVAVQDYRnVYQYYFIG2",
            "y": "j4hRRaZ3BprvkyPF9NB2Kpxz1dr5jn9g9czJZ4znguB9GF989hNjCtlo00Ud2SRe",
            "crv": "P-384"
        },
        {
            "kty": "EC",
            "kid": "2d",
            "use": "sig",
            "alg": "ES256",
            "x": "kr2UZc2wKlw5szdFypPNvPx6bRhFanftadAfidt6TNo",
            "y": "_OslA7C8NV6Psj2ohIE1j90BmBeVPmxwcvZcbSBROUk",
            "crv": "P-256"
        },
        {
            "kty": "EC",
            "kid": "2c",
            "use": "sig",
            "alg": "ES512",
            "x": "AN82cL5862dMJb9Xpc2NbUyeWJQ1ZXFn3Hh5UrmTiVDXw5TJBzA9vSf23pbdafjWfK2fmMlEsZvoVUpZIjkrvSVM",
            "y": "AOxsGYubw7gfgkBonCZYQepwUxptQnzwwm2t7QsyiaPiSNuitig4bMsX-Fn51jMX96wv0Mel0RmyBb3TAKBk9yB6",
            "crv": "P-521"
        },
        {
            "kty": "EC",
            "kid": "2b",
            "use": "sig",
            "alg": "ES384",
            "x": "JPkD7llgmS-QbtzPSr-CZYPqHsg5_MiD5JhWjqPAmJqD1k3YuiYJd5pNggRdUs4s",
            "y": "cUxzohl3jAWPc-kMkMSBW07IF2kn7My4RSxJ6J_cfUmp6TlSYHYsMbYyu31yH8VM",
            "crv": "P-384"
        },
        {
            "kty": "EC",
            "kid": "2a",
            "use": "sig",
            "alg": "ES256",
            "x": "cxATmhdy2XFmhLduY31M40Bu07BWG2V3Ir1BfqiMCaY",
            "y": "0vMNiil72Ms7cIegxqd9iveSINegVT3g9m_G666YNI4",
            "crv": "P-256"
        },
        {
            "kty": "EC",
            "kid": "29",
            "use": "sig",
            "alg": "ES512",
            "x": "AAfuPBgdZI8TSrcMTr_T_CEd5NS0iVaVoOQLm5RsvCAWzqWieXPNoS0oqWc60RScSy-95UF0UMlXf35sE7JFcTQa",
            "y": "AF-XqNeMFQtUV_-mcAlN90020BAOf6CLKumULq_SHKp0YLHq68M3Kncl-0GA7_fXdEMAYT1DyDkDgYS-32Y-sBho",
            "crv": "P-521"
        },
        {
            "kty": "EC",
            "kid": "28",
            "use": "sig",
            "alg": "ES384",
            "x": "wPWR927JlnSsZSZLGjsKjsx00pv6bI4ckB1_igpSTy5icB6SKhcaL6d9o1LUGh0p",
            "y": "Xd-9dCwJ2gXXvJBeUNJQ50v3nxnO0_kJBADxaTCBKVVLFkPDWkS8Jk8hhJiaOU0s",
            "crv": "P-384"
        },
        {
            "kty": "EC",
            "kid": "27",
            "use": "sig",
            "alg": "ES256",
            "x": "_JvPT2ftA5t3KiNysEfYmMnrIXgcU8liAckXJpzDTaU",
            "y": "2cs6FAkfvMJfCoiET8C6lH-VotMG5SP0KDY3hPU0jN8",
            "crv": "P-256"
        }
    ]
}

Thanks for your help.

I went ahead and hardcoded the jwks so it had only the key that matched it still does not match.

can you try removing the use=“sig” from the JWKS ?

What version of Apigee are you using? You’ve used VerifyJWT successfully before, is that right?

And can you show me the VerifyJWT policy configuration?

Hi Dino

We are using © 2020 Apigee Corp. All rights reserved. Version 4.50.00.00

I had to hardcode the jwks and modify it to remove the “use”:“sig” attribute. Once I did this it worked. I’m not sure if our internal team can modify the jwks to omit the above. At least we have something that will work and can work around it for now.

Thanks for your timely help!

Hi Dino

We are using © 2020 Apigee Corp. All rights reserved. Version 4.50.00.00

I had to hardcode the jwks and modify it to remove the “use”:“sig” attribute. Once I did this it worked. I’m not sure if our internal team can modify the jwks to omit the above. At least we have something that will work and can work around it for now.

Thanks for your timely help!

Dino,

We have multiple apigee versions in use at different locations. Our main on prem install is at © 2020 Apigee Corp. All rights reserved. Version 4.19.01.00. This version does not have support for the ES512 algorithm. Does this have support for ES512? https://github.com/apigee/iloveapis2015-jwt-jwe-jws

Or we need to build our own?

Thanks again

Mark

Oh, I’m glad to hear that you solved the problem!

There was an error in key selection in which the logic within the VerifyJWT policy incorrectly filtered out a JWK with the “use” property. We have since fixed that bug, but it remains in OPDK 4.50.00.

I expect that you’ll get the fix in a future patch for OPDK.

Sorry Dino I didnt mean to take credit for the answer! Im not sure how to assign it to you.

Mark - don’t worry! I moved your comment to an answer and “accepted” it.

I’m not concerned about who gets credit. I really appreciate your use of the community, asking your question so clearly, and then following up and explaining what you did to solve the problem. That will help people in the future, it’s valuable information. Thanks for contributing!

What all use case you are looking specific to ES512? jwt creation/verification?

reason being recently we extended it to support PS256 & it is not hard to to do for ES.

Thanks , I was struggling with the same issue , and now i know this issue within OPDK 4.50.00 version still remains . the current version that i am using .

jwt.Verify-JWT.header.algorithm: ES384 and the error :Could not find a matching Public Key: policy(JWT-Verify)

I tried the solution given by @markruscitto to hardcode the jwks and modify it to remove the “use”:“sig” attribute. it works but not comfortable to change the public Key /JWK “use”: “sig”, in production .

Currently, I am going with Java Callout as created verifications part in java

You don’t need to hard-code the JWKS. If you like, You can perform a ServiceCallout to retrieve the jWKS, and then use a JS step to transform it within the proxy to remove that element.

var c = JSON.parse(context.getVariable('jwksCallout.content'));
c.keys.forEach(function(key) {
  delete key.sig; 
});
context.setVariable('transformedJwks', JSON.stringify(c));

And then refer to transformedJwks in the VerifyJWT policy.

Thanks , Yes I, tried this way already and it works , but the question is what is best practice ? modify the key and refer to transformedJwks in the VerifyJWT policy or without modifying the key and verify in Java code itself ?

I would say, modifying the JWKS seems easier, and I’d prefer that, over the other option you described.

BUT,

the BEST practice is an option you did not identify: update to OPDK 4.52 which does not have this problem!