I'm trying to validate the JWT claims using the GatewayScript JWT Module in IBM DataPower. This works fine for claim validation, but I also want to verify the JWT signature. Ideally, I want to achieve this using a JWK Set.
The key looks like this:
{
"kty": "RSA",
"use": "sig",
"kid": "",
"x5t": "",
"n": "",
"e": "",
"x5c": [
""
],
"issuer": ""
}
The JWT is validated against the kid to fetch the required JWK from the set. I then use this key in the .addOperation(validate, key)
method. But before that i check if the key isJWK and convert it toBuffer. The problem is that I always receive this error:
Error: The data format for JOSE parse() is incorrect.
var options = {
validateDataType: false,
validateAudience: true,
validateExpiration: true,
validateNotBefore: true
};
var params = {
'aud': session.parameters.azureClientId,
'tid': session.parameters.azureIssuer
};
console.log(jwk.isJWK(key)); // is true
//var lop = jwk.toBuffer(key); // tried with this but failed
var skey= JSON.stringify(key); // also failed
var decoder = new jwt.Decoder(oauthToken);
decoder.addOperation(options, 'validate', params)
.addOperation('verify', skey)
.decode(function(error, claims){
if (error) {
console.error('Introspection failed: ' + error);
session.reject('IntrospectionError');
session.output.write(XML.parse(`<declined/>`));
} else {
oauthctx = true;
console.log('Introspection successfull');
session.output.write(XML.parse(`<approved/>`));
}
});
I've tried really much everything and i don't know what i'm doing wrong.
I have now found an alternative way to verify the signature. It involves using the crypto module and the jwk module.
The documentation is sufficiently well-described. Additionally, I would like to point out that there is documentation regarding the keys, specifically how and in what data types the keys should be structured.
var crypto = require('crypto');
var jwk = require('jwk');
var verify = crypto.createVerify('rsa-sha256'); // Note, there are others
var [header, payload, signature] = oauthToken.split('.');
verify.update(header+"."+payload);
var key = jwk.toBuffer(key);
verify.verify(key, signature, function(error) {
if(error) {
console.log(error);
} else {
console.log("WORKED");
}
});