Hi Jay,
Thank you for insight on my query.
I have problem statement something like this,
We have 3 private keys,
How can I use these 3 private keys to generate JWT randomly. It should use any one of the private keys to generate a JWT.
So then, I use JWKS_uri to get those public keys info.
now I will decode the jwt created with one of those private key, grab kid out of it and compare with the JWKS json acquired by JWKS_uri,
take out key from the json by using kid which is used to sign the jwt payload, and then pass the JWK to validate the jwt at policy manager level by encode assertion.
So I am not sure how can I use 3 private keys randomly to generate JWT.
Thanks in advance,
Pratik Degaon S
------------------------------
Design Engineer Professional
BT
------------------------------
Original Message:
Sent: 02-23-2021 08:06 PM
From: Jay MacDonald
Subject: Signing JWT using JKWS
I wrote the attached bash script to use openssl to convert a PEM private key to an RSA Private Key JWK in case you need it.
------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
Original Message:
Sent: 02-23-2021 05:21 PM
From: Jay MacDonald
Subject: Signing JWT using JKWS
To sign something requires either a secret for HMAC or a private key for RSA/EC. Once you have the JWT payload, you use the "Encode Json Web Token" assertion to encode it to a JWT and apply JWS by checking the Sign Payload box in the JWS tab.
This is where the fun begins.
The first question is "What kind of signature is this?". The simplest to understand is HMAC, which uses a shared secret. The shared secret can be a simple 256 bit long string (entered in the "Secret" field of the assertion dialogue) or it could be in the form of an "oct" JWK carried in a context variable as either the raw JWK or as a key entry in a JWKS.
For RSA/EC you must have the private key either in the Gateway's private keystore (Tasks -> Certificates, Keys and Secrets -> Manage Private Keys) or in the form of an RSA/EC private key JWK. Note that creating an RSA/EC private key JWK can not be done via the Policy Manager and must be done externally. There are several online tools for doing this (not recommended except for testing with non-sensitive private keys) and source for building local tools.
I'm attaching a policy export (JWS-Demo.xml) to illustrate how to do it. Publish a Web API and import the attached policy into it, then access it with a browser.
Cheers!
JayMac
------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
Original Message:
Sent: 02-18-2021 09:03 AM
From: Pratik Degaon
Subject: Signing JWT using JKWS
Hi Folks,
I am trying to implemment openID token , which is JWT token .
Kindly help how can i sighn my JWT using JWKS.
Any example will help me a lot.
Thanks,
Pratik
------------------------------
Design Engineer Professional
BT
------------------------------