javascriptjwtapi-gatewayibm-datapowerjose

Verify JWT Signature in IBM Datapower Gatewayscript


I'm trying to validate the JWT claims using the GatewayScript JWT Module in IBM DataPower. This works fine for claim validation, but I also want to verify the JWT signature. Ideally, I want to achieve this using a JWK Set.

The key looks like this:

{
   "kty": "RSA",
   "use": "sig",
   "kid": "",
   "x5t": "",
   "n": "",
   "e": "",
   "x5c": [
      ""
   ],
   "issuer": ""
}

The JWT is validated against the kid to fetch the required JWK from the set. I then use this key in the .addOperation(validate, key) method. But before that i check if the key isJWK and convert it toBuffer. The problem is that I always receive this error:

Error: The data format for JOSE parse() is incorrect.

var options = {
    validateDataType: false, 
    validateAudience: true,          
    validateExpiration: true,  
    validateNotBefore: true  
};

var params = {
    'aud': session.parameters.azureClientId,
    'tid': session.parameters.azureIssuer
};

console.log(jwk.isJWK(key)); // is true
//var lop = jwk.toBuffer(key); // tried with this but failed
var skey= JSON.stringify(key); // also failed

var decoder = new jwt.Decoder(oauthToken);
decoder.addOperation(options, 'validate', params)
    .addOperation('verify', skey)
    .decode(function(error, claims){
        if (error) {
            console.error('Introspection failed: ' + error);
            session.reject('IntrospectionError');
            session.output.write(XML.parse(`<declined/>`));  
        } else {
            oauthctx = true;
            console.log('Introspection successfull');
            session.output.write(XML.parse(`<approved/>`));
        }
});

I've tried really much everything and i don't know what i'm doing wrong.


Solution

  • I have now found an alternative way to verify the signature. It involves using the crypto module and the jwk module.

    The documentation is sufficiently well-described. Additionally, I would like to point out that there is documentation regarding the keys, specifically how and in what data types the keys should be structured.

    var crypto = require('crypto');
    var jwk = require('jwk');
    
    var verify = crypto.createVerify('rsa-sha256'); // Note, there are others
    
    var [header, payload, signature] = oauthToken.split('.');
    
    verify.update(header+"."+payload);
    
    var key = jwk.toBuffer(key);
    
    verify.verify(key, signature, function(error) {
        if(error) {
            console.log(error);
        } else {
            console.log("WORKED");
        }
    });