Layer7 API Management

Expand all | Collapse all

incorrect kid value in jwt access_token

Jump to Best Answer
  • 1.  incorrect kid value in jwt access_token

    Posted 05-18-2020 12:38 AM
    I am successfully able to generate jwt access_token and jwt id_token.
    For jwt access_token, I configured 'X' private key in #OTK Generate JWT Oauth Token policy/Encode Json Web Token assertion.
    For jwt id_token, I configured 'Y' private key in #OTK id_token Signing Algorithm - CUSTOM/Encode Json Web token assertion.
    However, when I decode jwt access_token from jwt.io website, I can see 'Y' private key name in the kid attribute in the header. Ideally it should be 'X'. please suggest here. Also, correct me if different  private keys configuration approach for access and id token is incorrect

    ------------------------------
    Technology Lead
    Infosys Limited
    ------------------------------


  • 2.  RE: incorrect kid value in jwt access_token

    Broadcom Employee
    Posted 05-18-2020 05:22 AM
    Edited by Ronald Dsouza 05-18-2020 05:21 AM
    Open OTK openid jwks_endpoint Configuration policy copy the create JSON web key token and then open
    #OTK openid jwks_endpoint Configuration paste it and add you enc and sign keys and give the appropriate kid values


    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/openid-connect-implementation/use-a-dedicated-private-key-for-signing-jwt.html
    ​​

    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------



  • 3.  RE: incorrect kid value in jwt access_token

    Posted 05-18-2020 06:11 AM
    Hi Ronald, issue is with access token kid. Why is it showing id token kid?
    Also, is it fine if i use same private for for both jwt token types?





  • 4.  RE: incorrect kid value in jwt access_token

    Broadcom Employee
    Posted 05-18-2020 11:16 AM
    Edited by Ronald Dsouza 05-18-2020 11:22 AM
    Sorry misread your question
    So basically if you use anything other than the default SSL key you will have to update the parameters over here
    #OTK id_token KID configuration to represent you X key value

    For second the option is with you. I prefer them separate.

    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------



  • 5.  RE: incorrect kid value in jwt access_token

    Broadcom Employee
    Posted 05-18-2020 11:45 AM


    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------



  • 6.  RE: incorrect kid value in jwt access_token

    Posted 05-18-2020 11:55 AM
    Thanks Ronald. 
    For id token. It is working for me too. Here is my issue:

    For jwt access_token, I configured 'X' private key in #OTK Generate JWT Oauth Token policy/Encode Json Web Token assertion.

    For jwt id_token, I configured 'Y' private key in #OTK id_token Signing Algorithm - CUSTOM/Encode Json Web token assertion.

    However, when I decode jwt access_token from jwt.io website, I can see 'Y' private key name in the kid attribute in the header. Ideally it should be 'X'. 
    Get Outlook for Android





  • 7.  RE: incorrect kid value in jwt access_token
    Best Answer

    Broadcom Employee
    Posted 05-20-2020 05:04 PM
    Hello,

    The OTK seems to expect you are using the same key for both JWT tokens. the ${kid_header} variable that defines the KID that is added to the JWT header for both tokens is defined in one place in the OTK id_token KID Configuration and you can modify this by copying the ${kid} and ${kid_header} variables to the #OTK id_token KID Configuration policy.

    If you want to use a separate kid for the access token JWT​ header then copying the ${kid} and ${kid_header} variable to the #OTK Generate JWT OAuth Token policy before you call the Encode Json Web Token assertion.


  • 8.  RE: incorrect kid value in jwt access_token

    Posted 05-21-2020 01:32 AM

    It is really interesting that this policy OTK id_token KID Configuration  is for id_token however taking kid configuration for access token as well.
    BTW, for access token policy OTK Generate JWT OAuth Token, there is an assertion as encode json web token where we have to mention JWK which is nothing but private key. so I thought this private key will be applicable for access token.