Skip to main content
Skip table of contents

Verify Json Web Signature Policy

Contents

This policy verifies the generated JWS. If the signature value has been tampered or the signature is different, it will not allow the user to access the resource.

Configuration

The properties that have to be configured to use the policy are described below.


Figure 1: Verify Json Web Signature Policy configuration attributes

Property
Description
Secret Key

Where HS256 symmetric algorithm is chosen, Secret Key has to be provided. The minimum length of the string has to be 256 bit.

 

Where asymmetric algorithms RS256 or ES256 is chosen, the public JSON Web Keys should be provided in any of the following ways:

  • The Key ID and other parameters of each algorithm can be grouped into a JSON as given in the sample below:

    CODE 
     {"keys":
 [
 {"kty":"EC",
 "crv":"P-256",
 "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
 "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
 "use":"sig",
 "kid":"1"},
{"kty":"RSA",
 "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
 4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
 tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
 QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
 SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
 w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
 "e":"AQAB",
 "alg":"RS256",
 "kid":"2011-04-29"}
 ]
 }

    These public JSON web keys (JWK) have to be fed into the Context Variable named "PublicJsonWebKeys" using the Assign Variables policy.

    For the JWK structure as in the sample above, refer to the link: https://tools.ietf.org/html/rfc7517



  • If the JSON Web keys have to be fetched from a File Store, a Callout policy can be used.

  • If the JSON Web keys are exposed in an HTTPS URL (Eg: https://www.googleapis.com/oauth2/v3/certs), a Service Call Out policy can be used and the response can be assigned to Context Variables using Assign Variables policy to fetch the keys.

JWS IdentifierConfigure the Message Part Identifier which contains theContent Type through which the JWS is passed.

Detached Content

In certain cases, it will be useful to protect the integrity of the content that is not itself contained in a JWS. Perform the following actions by detaching content as follows:

  1. Create Assign Variable policy with the respective variable names and identifiers.


    Figure 2: Verify Json Web Signature Policy configuration attributes

    This sets the values in context variable with the specified names.

  2. Go to $FioranoHome/APIManagement\samples\JavaCallOuts\DetachedJWSClaim and run the compiled script. This creates a Classes directory containing a jar with compiled classes.

    The java class can be modified as per requirement.

  3. Configure Java Call Out policy using the jar created above.

  4. Configure the Verify JWS policy as explained in this page.

Request

Use browser/postman to send the request as below:

CODE 
curl -X POST \http://192.168.2.231:2160/verifycustomgignature/1.0/ \-H 'jws-signature:yJleHAiOiIxNTQ0MTgyNTY3MDQzIiwiYWxnIjoiSFMyNTYifQ==..u0MA9Bm95kkZU1McxzhHq/Qfm5fTaJRyFHMFzStzgWQ=' \-d '{"iss":"fiorano"}'

The request contains JWS (Header and Signature) and claim as payload.

Response

Verifies the signature and allows to access the respective resources.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close