This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Storing JWT public key in kVMS and validation

Posted on 02-16-2022 09:02 PM
Ragava1
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

 


My question is regarding getting Values (public key or private key) from KVM and validate JWT third party token.


Certificate was saved like below in KVMS through deployment and it is encrypted.

{"name": "publickey",
"value": "-----BEGINCERTIFICATE-----MIICpTCCAY0CBgF6N7gZlDANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtoZl9jel9teWFwaTAeFw0-------------ENDCERTIFICATE-----"
}

I can able to retrieve the value from KVMS and when I try to validate it was throwing below error.

{
"status": 401,
"detail": "Failed to parse key: policy(JWT-Verify-RS256)"
wt.JWT-Verify-RS256.error cannot instantiate public key
}


when I store manually in KVMS through APIGEE GUI Page like below it is working fine.

"name": "publickey",
"value":
-----BEGIN CERTIFICATE-----
MIICpTCCAY0CBgF6N7gZlDANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtoZl9j
el9teWFwaTAeFw0yMTA2MjMwNzEyMjlaFw0zMTA2MjMwNzE0MDlaMBYxFDASBgNV
BAMMC2hmX2N6X215YXBpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
22HK+2xRzK7g
-----END CERTIFICATE-----
both cases my KVM extract ,JWT verify policies looks like below
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyValueMapOperations async="false" continueOnError="false" enabled="true" name="KVMO-GetKeycloakPublicKey" mapIdentifier="two-encrypted">
<DisplayName>KVMO-GetKeycloakPublicKey</DisplayName>
<Get assignTo="private.publickey">
<Key>
<Parameter>publickey</Parameter>
</Key>
</Get>
<Scope>environment</Scope>
</KeyValueMapOperations>


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT name="Verify-RS256">
<DisplayName>Verify-RS256</DisplayName>
<Algorithm>RS256</Algorithm>
<Source>var.JWT</Source>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<PublicKey>
<Value ref="private.publickey"/>
</PublicKey>
</VerifyJWT>

Here, how it would be possible to made my one line certificate string value into base64/each line should contain 64char, and how to avoid this manual effort.

@dchiesa1 

Solved Solved
0 2 352
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

It's ok to have a "one line Certificate". But the whitepsace is important.

It cannot be

 

-----BEGINCERTIFICATE-----

 

You need to have a space between the word BEGIN and the word CERTIFICATE. It should look like this:

 

-----BEGIN CERTIFICATE-----
MIIDmjCCAoICCQDnv7D3k+UOBDANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMC
VVMxCzAJBgNVBAgMAldBMREwDwYDVQQHDAhLaXJrbGFuZDEPMA0GA1UECgwGR29v
Z2xlMQ8wDQYDVQQLDAZBcGlnZWUxGjAYBgNVBAMMEWFwaWdlZS5nb29nbGUuY29t
MSEwHwYJKoZIhvcNAQkBFhJkY2hpZXNhQGdvb2dsZS5jb20wHhcNMTgxMDMwMjIz
ODAwWhcNMjgxMDI3MjIzODAwWjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
MREwDwYDVQQHDAhLaXJrbGFuZDEPMA0GA1UECgwGR29vZ2xlMQ8wDQYDVQQLDAZB
cGlnZWUxGjAYBgNVBAMMEWFwaWdlZS5nb29nbGUuY29tMSEwHwYJKoZIhvcNAQkB
FhJkY2hpZXNhQGdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCui4gANqXpDWXcjlF8Fo0u29vzbr4OObhSt8jmOk7ngrqPcay8JExinP75
JDjmw/fWAWmXeO8FXJDzcOVRNazJvXOmN+0sscrTg0l4VrBLU1u2P7ZXnq3tluXV
vItuvxHDVzwg7TiiqfJytwBTfcoR0Xm+W4K+DyqlUInP4BXVlU0taIt+XIJWwXVF
iVL859dXF4pBMTqTdQ8OSD/lQ6FlhnVb3orInA0ziWvOIaoFYkiXp1piwm5Pfhni
I5NWwMc8T3J5cWxp+11o8t7Rq6CToH/nB7UJtB6KOE9SZyfOZ/oCsAaa3Cig8uOj
AWPA6/UdLuwbrs4O/Nljv3WFxsTFAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBACk3
S+pkfeIy18xsfBhrjDcnOlstDRgqBJmUk3cwWu7ElGYK1+49qg0JJVJIsu3Yw3og
NV34yJlmqFILMnGJ9sxBiVVEBkHJqjaFpkgyJhNgWrde2A3EwnAfK+M2TM6RpGh0
NUE0Sy2OxHarM0uwVxDBWIoQZHFA4OAm2DK9WyI7Xv9HwXYk8DktaKS7UbsMa1gR
pn/b+D8wKmJheAM8eqLp+6JDZ8SdKBXcWmPjM++erhgaiFoAF6zAhel2NzaimTZn
VMAOl7Bmm7fSlbXwpfKsGqrlNgRICHwngJCHtcHxudg05ON3JT2BgtVjk4c4Nk7P
nydfuqjt70aZeL9/tJ0=
-----END CERTIFICATE-----

 

I'm not sure if the lack of a space in what you posted is just due to a cut/paste error, or .... if really there is no space. If the latter, then you should expect a "failed to parse key".

and how to avoid this manual effort.

I don't know what manual effort you are encountering. The format of the key is important. See if you can use the editor here in the community to paste in a correctly formatted version of the public key. Exactly as you are placing it into the KVM. The two "versions" of the public key that you posted (really a certificate), are not the same. They are different in formatting, but also in content. Neither of them is complete. I am not sure if that is intentional.

Take as much care as you can when you reply. Take your time, format things properly so I can see them. I take the time to reply and share information. Help me by taking time and good care when posting your information. It makes it easier for me to help you.

Why is your certificate on one line anyway? That's not a standard format.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

It's ok to have a "one line Certificate". But the whitepsace is important.

It cannot be

 

-----BEGINCERTIFICATE-----

 

You need to have a space between the word BEGIN and the word CERTIFICATE. It should look like this:

 

-----BEGIN CERTIFICATE-----
MIIDmjCCAoICCQDnv7D3k+UOBDANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMC
VVMxCzAJBgNVBAgMAldBMREwDwYDVQQHDAhLaXJrbGFuZDEPMA0GA1UECgwGR29v
Z2xlMQ8wDQYDVQQLDAZBcGlnZWUxGjAYBgNVBAMMEWFwaWdlZS5nb29nbGUuY29t
MSEwHwYJKoZIhvcNAQkBFhJkY2hpZXNhQGdvb2dsZS5jb20wHhcNMTgxMDMwMjIz
ODAwWhcNMjgxMDI3MjIzODAwWjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldB
MREwDwYDVQQHDAhLaXJrbGFuZDEPMA0GA1UECgwGR29vZ2xlMQ8wDQYDVQQLDAZB
cGlnZWUxGjAYBgNVBAMMEWFwaWdlZS5nb29nbGUuY29tMSEwHwYJKoZIhvcNAQkB
FhJkY2hpZXNhQGdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCui4gANqXpDWXcjlF8Fo0u29vzbr4OObhSt8jmOk7ngrqPcay8JExinP75
JDjmw/fWAWmXeO8FXJDzcOVRNazJvXOmN+0sscrTg0l4VrBLU1u2P7ZXnq3tluXV
vItuvxHDVzwg7TiiqfJytwBTfcoR0Xm+W4K+DyqlUInP4BXVlU0taIt+XIJWwXVF
iVL859dXF4pBMTqTdQ8OSD/lQ6FlhnVb3orInA0ziWvOIaoFYkiXp1piwm5Pfhni
I5NWwMc8T3J5cWxp+11o8t7Rq6CToH/nB7UJtB6KOE9SZyfOZ/oCsAaa3Cig8uOj
AWPA6/UdLuwbrs4O/Nljv3WFxsTFAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBACk3
S+pkfeIy18xsfBhrjDcnOlstDRgqBJmUk3cwWu7ElGYK1+49qg0JJVJIsu3Yw3og
NV34yJlmqFILMnGJ9sxBiVVEBkHJqjaFpkgyJhNgWrde2A3EwnAfK+M2TM6RpGh0
NUE0Sy2OxHarM0uwVxDBWIoQZHFA4OAm2DK9WyI7Xv9HwXYk8DktaKS7UbsMa1gR
pn/b+D8wKmJheAM8eqLp+6JDZ8SdKBXcWmPjM++erhgaiFoAF6zAhel2NzaimTZn
VMAOl7Bmm7fSlbXwpfKsGqrlNgRICHwngJCHtcHxudg05ON3JT2BgtVjk4c4Nk7P
nydfuqjt70aZeL9/tJ0=
-----END CERTIFICATE-----

 

I'm not sure if the lack of a space in what you posted is just due to a cut/paste error, or .... if really there is no space. If the latter, then you should expect a "failed to parse key".

and how to avoid this manual effort.

I don't know what manual effort you are encountering. The format of the key is important. See if you can use the editor here in the community to paste in a correctly formatted version of the public key. Exactly as you are placing it into the KVM. The two "versions" of the public key that you posted (really a certificate), are not the same. They are different in formatting, but also in content. Neither of them is complete. I am not sure if that is intentional.

Take as much care as you can when you reply. Take your time, format things properly so I can see them. I take the time to reply and share information. Help me by taking time and good care when posting your information. It makes it easier for me to help you.

Why is your certificate on one line anyway? That's not a standard format.

Jump to Solution

Posted on --/--/---- --:-- AM
Ragava1
Bronze 4
Bronze 4
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you for getting back to me. My apologies that I did not posted correctly, The policy is working fine. It was my bad, there was whitespace and some string was missing at my end, now it is working fine. Thank you once again.

Jump to Solution
Top Solution Authors
View all