Verify JWT policy showing runtime error in production version

I have added a policy for JWT verification with the help of key value maps and is working fine in eval version of APIGEE

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="auth0-token-verify">
    <DisplayName>auth0-token-verify</DisplayName>
    <Algorithm>RS256</Algorithm>
    <PublicKey>
        <JWKS uri="https://thanos.auth0.com/.well-known/jwks.json"/>
    </PublicKey>
    <Issuer>https://thanos.auth0.com/</Issuer>
    <Audience ref="var_auth0_jwt_audience"/>
</VerifyJWT>

But when i used same bundle in the apigee licensed version, it started throwing error:

"code" : "steps.jwt.EmptyElementForKeyConfiguration",
"message" : "Empty Element for Key Configuration : policy(auth0-token-verify) element(PublicKey/JWKS)",

The bundle works fine in licensed version if I remove the JWT policy above. Any thoughts on the same @Dino-at-Google @Dino

the apigee version where we are getting error is 19.01

This error says the jwks.json issue. Either it’s not accessible or its returning empty.

<JWKS uri="https://thanos.auth0.com/.well-known/jwks.json"/> 

If it is not able to get, you can have the JSON body in your KVM and extract inside proxy and use as reference for the JWKS

I have tested on the same. The JWKS uri is publicly accessible . Also this was working in eval version

is it saas or onprem version of apigee ?

You may be experiencing a bug in the VerifyJWT policy.

Check this Q&A for a similar issue, and a suggested workaround.

The fix for that problem is rolling out into production. The eval organizations get the fixes first., which would explain the difference in behavior you observed.