[SOLVED] Verify JWT Signature in IBM Datapower Gatewayscript

Verify JWT Signature in IBM Datapower Gatewayscript

I'm trying to validate the JWT claims using the GatewayScript JWT Module in IBM DataPower. This works fine for claim validation, but I also want to verify the JWT signature. Ideally, I want to achieve this using a JWK Set.

The key looks like this:

{
   "kty": "RSA",
   "use": "sig",
   "kid": "",
   "x5t": "",
   "n": "",
   "e": "",
   "x5c": [
      ""
   ],
   "issuer": ""
}

The JWT is validated against the kid to fetch the required JWK from the set. I then use this key in the .addOperation(validate, key) method. But before that i check if the key isJWK and convert it toBuffer. The problem is that I always receive this error:

Error: The data format for JOSE parse() is incorrect.

var options = {
    validateDataType: false, 
    validateAudience: true,          
    validateExpiration: true,  
    validateNotBefore: true  
};

var params = {
    'aud': session.parameters.azureClientId,
    'tid': session.parameters.azureIssuer
};

console.log(jwk.isJWK(key)); // is true
//var lop = jwk.toBuffer(key); // tried with this but failed
var skey= JSON.stringify(key); // also failed

var decoder = new jwt.Decoder(oauthToken);
decoder.addOperation(options, 'validate', params)
    .addOperation('verify', skey)
    .decode(function(error, claims){
        if (error) {
            console.error('Introspection failed: ' + error);
            session.reject('IntrospectionError');
            session.output.write(XML.parse(`<declined/>`));  
        } else {
            oauthctx = true;
            console.log('Introspection successfull');
            session.output.write(XML.parse(`<approved/>`));
        }
});

I've tried really much everything and i don't know what i'm doing wrong.

Solution

I have now found an alternative way to verify the signature. It involves using the crypto module and the jwk module.

The documentation is sufficiently well-described. Additionally, I would like to point out that there is documentation regarding the keys, specifically how and in what data types the keys should be structured.

var crypto = require('crypto');
var jwk = require('jwk');

var verify = crypto.createVerify('rsa-sha256'); // Note, there are others

var [header, payload, signature] = oauthToken.split('.');

verify.update(header+"."+payload);

var key = jwk.toBuffer(key);

verify.verify(key, signature, function(error) {
    if(error) {
        console.log(error);
    } else {
        console.log("WORKED");
    }
});