Layer7 API Management

Expand all | Collapse all

Signing JWT using JKWS

  • 1.  Signing JWT using JKWS

    Posted 13 days ago
    Hi Folks,

    I am trying to implemment openID token , which is JWT token .

    Kindly help how can i sighn my JWT using JWKS.

    Any example will help me a lot.

    Thanks,
    Pratik

    ------------------------------
    Design Engineer Professional
    BT
    ------------------------------


  • 2.  RE: Signing JWT using JKWS

    Broadcom Employee
    Posted 8 days ago
      |   view attached
    To sign something requires either a secret for HMAC or a private key for RSA/EC. Once you have the JWT payload, you use the "Encode Json Web Token" assertion to encode it to a JWT and apply JWS by checking the Sign Payload box in the JWS tab.

    This is where the fun begins.

    The first question is "What kind of signature is this?". The simplest to understand is HMAC, which uses a shared secret. The shared secret can be a simple 256 bit long string (entered in the "Secret" field of the assertion dialogue) or it could be in the form of an "oct" JWK carried in a context variable as either the raw JWK or as a key entry in a JWKS.

    For RSA/EC you must have the private key either in the Gateway's private keystore (Tasks -> Certificates, Keys and Secrets -> Manage Private Keys) or in the form of an RSA/EC private key JWK. Note that creating an RSA/EC private key JWK can not be done via the Policy Manager and must be done externally. There are several online tools for doing this (not recommended except for testing with non-sensitive private keys) and source for building local tools.

    I'm attaching a policy export (JWS-Demo.xml) to illustrate how to do it. Publish a Web API and import the attached policy into it, then access it with a browser.

    Cheers!

    JayMac

    ------------------------------
    Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
    ------------------------------

    Attachment(s)

    xml
    JWS-Demo.xml   16 KB 1 version


  • 3.  RE: Signing JWT using JKWS

    Broadcom Employee
    Posted 8 days ago
      |   view attached
    I wrote the attached bash script to use openssl to convert a PEM private key to an RSA Private Key JWK in case you need it.

    ------------------------------
    Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
    ------------------------------

    Attachment(s)

    zip
    pem-to-jwk.sh.zip   958 B 1 version


  • 4.  RE: Signing JWT using JKWS

    Posted 7 days ago
    Hi Jay,

    Thank you for insight on my query.

    I have problem statement something like this,

    We have 3 private keys,

    How can I use these 3 private keys to generate JWT randomly. It should use any one of the private keys to generate a JWT.
    So then, I use JWKS_uri to get those public keys info.

    now I will decode the jwt created with one of those private key, grab kid out of it and compare with the JWKS json acquired by JWKS_uri,
    take out key from the json by using kid which is used to sign the jwt payload, and then pass the JWK to validate the jwt at policy manager level by encode assertion.

    So I am not sure how can I use 3 private keys randomly to generate JWT.

    Thanks in advance,
    Pratik Degaon S

    ------------------------------
    Design Engineer Professional
    BT
    ------------------------------



  • 5.  RE: Signing JWT using JKWS

    Broadcom Employee
    Posted 7 days ago
      |   view attached
    Interesting use case.

    You can use the ${gateway.random} variable to generate a random number. Unfortunately it is limited to byte lengths and not integer lengths (i.e. you can't generate a random number between 0 and 2, but you can between 0 and 255 by referencing ${gateway.random.1.unsigned}. So you could write policy to generate a random 1-byte value and use case logic to test the value in steps of 85 (256/3=85.33), which will get you close to a random selection of a value.

    The Key ID field of the Encode JSON Web Token assertion can contain a context variable.

    I modified the demo policy by adding a third oct key to the JWKS and to then select one at random to use to sign the JWT as an example. See attached JWS-Demo2.xml file.

    ------------------------------
    Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
    ------------------------------

    Attachment(s)

    xml
    JWS-Demo2.xml   24 KB 1 version