Unable to setup VerifyJWTAccessToken with RS256

Google Cloud Apigee
,
1

Hi, we are trying to authenticate users that login using Google Identity Platform. GIP uses oAuth2 and returns an ID token (JWT) with a that we want to validate. The algorithm that it uses is RS256 with a public key that you have to fetch from XXX. We don’t know how to fetch the public key from that URL, but to make progress we downloaded it manually and we are trying to put the public key directly in the configuration.

We are using OAuthV2.VerifyJWTAccessToken with this configuration:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="OAuthV2-verify-gip">
  <Operation>VerifyJWTAccessToken</Operation>
  <Algorithm>RS256</Algorithm>
  <Scope>flaticon/svg</Scope>
  <PublicKey>
    <Value>-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo
4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh
kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ
0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc
mwIDAQAB
-----END PUBLIC KEY-----</Value>
  </PublicKey>
</OAuthV2>

When we try to save this configuration, it gives us an error:

bundle contains errors

Violation details:
apiproxy/policies/OAuthV2-verify-gip.xml The PublicKey element contains an RSA key, which is not valid for the Algorithm "".

Do you what are we doing wrong?

Thank you!

2

It looks like you want to use the JWT for OAuth tokens option in Apigee. You’re providing a hardcoded value which is fine for testing purposes, but it’s recommended to retrieve the key from an environment-scoped KVM or property set. In this case, try to change the indentation to mach the example below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="OAuthV2-verify-gip">
    <Operation>VerifyJWTAccessToken</Operation>
    <Algorithm>RS256</Algorithm>
    <Scope>flaticon/svg</Scope>
    <PublicKey>
        <Value>
        -----BEGIN PUBLIC KEY-----
        MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo
        4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
        +qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh
        kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ
        0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
        cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc
        mwIDAQAB
        -----END PUBLIC KEY-----
        </Value>
    </PublicKey>
</OAuthV2>
3

This looks actually like a bug in the OAuthV2 policy. Have raised this issue internally.

Using your configuration with VerifyJWT policy should work

4

[quote=“joaquin-freepik”]
Hi, we are trying to authenticate users that login using Google Identity Platform. GIP uses oAuth2 and returns an ID token (JWT) with a

The problem is not in the indenting of the key. Also, I do not believe the problem you are seeing is due to a bug in the OAuthV2 policy implementation.

Not quite true - the error message you see is misformatted and THAT is surely a bug. But I think the validation that rejects your policy configuration is probably correctly rejecting your policy configuration. Check the documentation on the OAuthV2 policy for hints on how to use Operation=VerifyJWTAccessToken.

The OAuthV2 policy with Operation=VerifyJWTAccessToken must be used only with JWT Access tokens that are generated by Apigee itself, using the OAuthV2 policy with Operation=GenerateJWTAccessToken.

To validate/verify a JWT from any arbitrary third party, such as one generated by GIP, you should use the builtin VerifyJWT policy as Gana suggested. If you have a JWKS endpoint*, you can specify the URI for the PublicKey in the policy configuration. You do not need to “manually download” the public key. Check the documentation for the policy for explanations for how to do this.

*I am not sure if GIP exposes a JWKS endpoint. If it does not… in other words if the public keys are available, but are not formatted as JWK according to the JWKS standard (IETF RFC 7517), then downloading the key and specifying it in the way you are doing, should work just fine. You do not need to worry about indenting - the formatting you are using will work just fine if the key is correct.

Also, you said that you wanted to ALSO validate a scope value on the JWT issued by GIP. That can be done, too. There was a proposed feature enhancement to enable the VerifyJWT policy to verify the presence of a value within an array claim, which would satisfy your requirement I think. There was an implementation of this feature, but at this point I am not certain whether that implementation was approved and merged. Check with the engineering/product team to find out. Whether you can use this handy feature also will depend on which version of Apigee you are using. (OPDK doesn’t get feature enhancements)

Even if you don’t have that feature available to you, you can still validate the scope claim using an additional JS step, or a Condition element that examines the context variable that contains the scope. This has been explained previously on the community site; search the archive for hints.

So, FIRST, make sure you can validate the JWT. THEN, do the extra work to validate the scope.

Good luck.

2 Likes
5

Thank you, I used a VerifyJWT policy with a Condition element using a regexp to match the Scope and it worked perfectly. It would be nice to have a on VerifyJWT, but I also understand if you want to keep the payload of the JWT opaque.

Thank you for your help!

1 Like
6

I’m glad it helped!