Layer7 API Management

#algorithm #jwt

Hi All,

Is CA Gateway capable for verifying and decoding out of box generated JWT with SHA256withRSA which adding padded characters while signing?if it does not then what is the other way to decode this kind of JWT?

PFB JWT generated by an android application which uses above specification:

Header::-eyJhbGciOiJSUzI1NiJ9.

Payload::-eyJpc3MiOiAiVUtNb2JpbGl0eUFwcENsaWVudFVB...[something]......NTIxNDU4OTg5In0=.

Signed Payload::-YDAEV3nvnE2eLgPX5jDotVoohDWAF5pSmaH8k5xIqLSqiVE5fDTinv/hQ7pUSbxemEMvo/zv7iAf6z38dg+i+kyc0k0cZb2f56dXi0R4pwHO/2Of4x1WpRMHlg3lo89kzhn0TnlbjHfhxKPPZPFgBBlCgWPCCS/Yxx+aOe7BM8FiGWsWLyPxJb8GnJCjURNwcB/QLskZZ34Cz5SK/OgKJ+EQv7ujxXinGCFwnulfCUXWD8kW12bFH98w3Zm/y9xphX1vh2pjaY0wmjEG3/I9ijBRZpItYezvb4rK3pm/E1LrMSflWdwzlTRumFu97gDJYypiy9AyCIsI70SKmpj6mw==

Above I've highlighted the characters which i don't see while signing the payload using any other method.[i.e. using CA assertion or online JWT generator]

Note: Private key[.pem] is being used to sign/encrypt & verify/decrypt payload

Hi,

There is a new JWT authentication scheme from R12.8:

JSON Web Token (JWT) Authentication Scheme
CA Single Sign-On R12.8 supports JSON Web Token (JWT) template as an authentication scheme to authenticate and authorize the protected resource by accepting the JWT token.

So as OOTB I do not find any detail on JWT tokens on previous releases related to Access Gateway so maybe a custom authentication scheme may work for you.

Hey Albert, could you  please be more specific what you're suggesting to do as i'm not following what you've suggested.

Hi Jaykumar,

I think it will not be useful for you as I thought you were using CA Access Gateway (which is a CA Single Sign-On component), however you are actually using CA API Gateway which is from a different product, so this question should be raised in a different place:

CA API Management Community 

That is why Vijay was asking for more details.

Thanks for the clarification albert, but haven't i posted this inCA API Management Community ?  it's showing me the same community while edit.

Jaykumar,  Questions:  Do you mean Access Gateway or API Gatway?  Are you using/ evaluating beta CA SSO R12.8?  It's not formally released yet. What version of CA SSO are you using? Plse confirm. Also, can you please describe your configuration and use case in more detail so we understand better what you're trying to accomplish?

Thanks, - Vijay

HI Vijay, We're using API Gateway and we're not using any version of CA SSO. In simple words, what we're doing is once we receive the JWT from client app[android] ,we 're verifying the signature and decoding the JWT using Decode JWT assertion of CA. The issue we're facing is that this assertion is not able to verify the signature as it seems there are some padded  characters being added on client app while signing payload using SHA256withRSA. is there any way we could handle this scenario on CA gateway? 

Good afternoon,

Normally we have seen issues when the JWT is not BASE64 encoded so applications and browsers may attempt to URL encode certain values causing the signature to not be accepted.

Sincerely,

Stephen Hughes

Broadcom Support