JSON web key set (JWKS) format used in Decode JSON Web Token Assertion

Document ID : KB000012355
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

For validation of the JSON Web Token(JWT) the key can be obtained from JSON Web Key Set(JWKS).

JSON Web Key Set Example

{
"keys" : [ {
"kty" : "RSA",
"kid" : "1",
"use" : "sig",
"n" : "k9-F-fE4RWeyvErnyQhdbGO-468-UYq9uoEmxZFWLe6oZ0mdDXc9RSSfNpvA0cqu_JcqMPjQkKVKLKpvuYPj4ytX4jPEbfYB0A01FAxnD5efA-6rZ-5z0JBCHYBO3ux50aH01n5kcqy8FPVq5aftchKHnW_w7vauJE81nBROFNM",
"e" : "AQAB"
} ]
}

 

Question:

As per RFC https://tools.ietf.org/html/rfc7517#section-4.2  the "use" field is optional however when decoding the JSON Web Token using assertion " Decode JSON Web Token"  following error is shown

"JOSE Error: Could not find key from JWKS. Possible reasons: 1) could not find a key based kid, kty, and use or 2) the combination of kid, kty and use fields produce more than one key." 

Does the gateway make "use" field mandatory in JSON Web Key Set?

Environment:
Tested in 9.1
Answer:

In Decode Json Web Token Assertion codes , the CA API Gateway makes this field "use" for encryption and signature in JSON Web Key Set (JWKS) as mandatory.

This behavior is more likely to be robuster self-validation on JSON Web Structure, so the JWKS must specify a use field (e.g., "use:sig" or "use:enc") to indicate that the JSON payload structure must be in the format of either JsonWebSignature or JsonWebEncryption.

Additional Information:

The description of the Decode JSON Web Token Assertion can be found below;

 

https://docops.ca.com/ca-api-gateway/8-3/en/policy-assertions/assertion-palette/message-validation-transformation-assertions/decode-json-web-token-assertion