How to check error when validating jwt token using validate-jwt (Previously: How to use a custom built jwt in validate-jwt?)

Question

I try to limit access to a REST API using a JWT token using the validate-jwt policy. Never did that before.

Here's my inbound policy (taken from the point Simple token validation here):

<validate-jwt header-name="Authorization" require-scheme="Bearer">
    <issuer-signing-keys>
        <key>{{jwt-signing-key}}</key>
    </issuer-signing-keys>
    <audiences>
        <audience>CustomerNameNotDns</audience>
    </audiences>
    <issuers>
        <issuer>MyCompanyNameNotDns</issuer>
    </issuers>
</validate-jwt>

Using this generator I created a claim (I'm not sure whether I understood issuer and audience correctly):

{
    "iss": "MyCompanyNameNotDns",
    "iat": 1572360380,
    "exp": 2361278784,
    "aud": "CustomerNameNotDns",
    "sub": "Auth"
}

In the section Signed JSON Web Token I picked Generate 64-bit key from the combo box. The key that was generated I put in the place of {{jwt-signing-key}}.

Now, I'm trying to call the API using Postman. I add an "Authorization" header, and as the value I put "Bearer {{ JWT created by the linked generator }}".

I get 401, JWT not present. What am I doing wrong?

Jim Xu Jim Xu · Accepted Answer · 2019-10-30T07:22:23

According to my research, If you use HS256 signing algorithms, the key must be provided inline within the policy in the base64 encoded form. In other words, we must encode the key as base64 string. For more details, please refer to the document

My test steps are as below

Create Jwt token
Test a. If I directly provide the key in the policy, I get the 401 error

b. If I encode the key as base64 string in the policy, I can call the api

How to check error when validating jwt token using validate-jwt (Previously: How to use a custom built jwt in validate-jwt?)

2 Answers