Apigee - producing a signed JWT, then encrypting it with JWE

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi this is dino and today i want to talk about how you can use apogee to generate a signed jwt which is then wrapped in an encrypted form at jwe uh for a long time apogee has had policies that generate signed jwt and verify sign jwt using various algorithms um more recently we extended apogee to also be able to generate encrypted jwt and verify encrypted jwt or decrypt them that is to say encrypted things that have json as a payload so the built-in policies will handle signed jwt and encrypted jwt um there are uh there's a separate aspect of the jose standards that allow encryption of an arbitrary payload not json but some arbitrary byte stream and we call that jwe or java web encryption and apogee today does not have built-in policies that uh encrypt or decrypt arbitrary payloads for that i have a custom java callout that does that and it's on this repo here which i'll put in the notes for this video basically it's pretty simple to use you just configure it like any other java call out specify the payload that you want in this example this is uh generating an encrypted jwt you can use the built-in policies for that but maybe more apt for this particular video we can also generate a jwe and that payload can be anything so basically the steps involved will be generate the sign jwt and then encrypt it uh two separate policies i have extended the example api proxy that's part of that repo uh and i've um deployed it here um and i'll show you what that looks like i just added a new conditional flow called generate 5 which will first generate a sine jwt and then do some housekeeping around keys and then encrypt the output of that and generate an a jwe uh so let's see what that looks like here's the policy for generating a jwt nothing really surprising there we specify the algorithm we specify a private key i've hard coded it into this api proxy bundle you are not going to want to do that you're going to want to retrieve your keys from some encrypted store just for example purposes i put it you know in this policy you can see the the private key is right here um don't do that in in a real system uh so the so um generating getting back to where we were um in the policy i specify the private key i've hard coded a key id that's also probably not what you're going to do i've hard coded the subject this is just for demonstration purposes i put a 30 minute expiry i put an additional claim in there all the output after that signing happens is going to be in signed jwt the variable and then that is the input to the next policy the encryption and that's going to use that custom callout and the generate jwe class um in this case we'll use a um jwks our uri to retrieve the public key uh in order to perform the encryption and we'll use um rsa and um that is the content encryption uh algorithm so the result will be jwe let's see this actually working um revision five is deployed i'll start a trace session uh for my console i deployed it um that's kind of how i do a lot of my work as offline and then use a script to just deploy um so that should be working great and now what i want to do is uh invoke that endpoint with uh curl so it doesn't take any parameters it's just a post and i send that in and this you can't we don't know yet but this is a jwe it's hard to see that but i'll show you that in a minute this is the actual transaction that apogee handled you can see it retrieved the message id that's a variable it's going to be a custom claim the issuer and then there's the signed jwt and then we go through some of the housekeeping and get some other information uh this is the sign jwt that is being encrypted and these are the the parameters for that encryption uh and then finally this is the jwe output so it's not the same it looks similar but it's not the same as the jwt it it actually is an encrypted form of the jwt okay so you could just trust me or what we could do is try to verify that so let me grab that jwe output and i've got a tool here at this web web address that allows me to examine jwt and jwe and what i'm going to do is paste in that thing that i received from the apigee policy and this page is now detecting okay that's an encrypted something this this is in the header so the um the jose header says this is the algorithm it used for encryption um this is the inc sorry this is the algorithm used for generating the key this is the encryption algorithm that's the key id and because it's encrypted we can't really see what the um what the output is but we do know it's this key id and going back to the proxy we know it was the um the jwks uh uri uh was uh this one so that's the jwps uri and that actually is a demonstration j3ks service that i've uh also got on a separate um web app the rsa key that the proxy selected was this one and what i want to do is see the private key okay so we have a jwe in order to decrypt it we need the private key so i'm asking for that private key from this web app i'm going to copy that and i'm going to drop it in here so i'm going to drop that pam in there and what that ought to be able to do is allow me to decrypt this this is the encrypted portion uh we're going to be able to decrypt that so let's click that button it'll decrypt it and what i'm getting out is sure enough that looks like a jwt so let me copy that and paste it in here and this web page will automatically then decode the jwt and you can see this is an actual jwt it's got this key id which is the hard-coded number that i had em embedded in the policy and you can see the hard-coded subject the audience that i specified this is the issuer the message id um the expiry and so on all the jwt things this has not been verified the signature we didn't verify the signature we could we just need the public key from the correspondence to the private key that used to sign it but anyway that illustrates how you can sign a jwt and then encrypt the output of that and it's really just a sequence of two policies and i've got these other ones here that are just managing the keys just getting keys for the second policy okay i hope that answers a common question around coupling sign jwt with jwe until next time keep it digital
Info
Channel: Dino Chiesa
Views: 784
Rating: undefined out of 5
Keywords: Apigee, JWT, JWE, JOSE
Id: 9w4iBu5ImHI
Channel Id: undefined
Length: 8min 18sec (498 seconds)
Published: Mon May 10 2021
Related Videos
No Way Jose! Cryptography & Encryption - JS Monthly London - January 2021
Pusher
1.3K
The Parts of JWT Security Nobody Talks About | Philippe De Ryck, Google Developer Expert
Full Stack Developers Israel
27K
Using Apigee to create Signed URLs for Google Cloud Storage
Dino Chiesa
730
JSON Web Keys (JWK & JWT) - "Emergency" - HackTheBox Business CTF
John Hammond
40K
How to secure Web API in .NET Core using JWT Token
the IT videos
19K
What are Digital Signatures? - Computerphile
Computerphile
146K
Apigee OAuth 2.0 Token Dispensary. Client Credentials grant with opaque tokens and JWT.
Dino Chiesa
303
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Detecting session hijacking using rotating refresh tokens in web applications Rishabh Poddar
OWASP Foundation
108
Second Oldest Trick in Sleight of Hand
susiefilms
13M
6 JWT Signature With RS256 Learn The Advantages Compared to HS256
Tripe Turipa
1.3K
What makes JSON Web Tokens (JWT) secure?
Hasgeek TV
31K
API vs. SDK: What's the difference?
IBM Technology
761K
How to Win Snake: The UNKILLABLE Snake AI
AlphaPhoenix
1.2M
What Is JWT and Why Should You Use JWT
Web Dev Simplified
506K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.