A fix is available
APAR status
Closed as program error.
Error description
When a JWT has a non string value in it's JOSE headers the token doesn't validate I.e. In the token below === eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFwcElkLTg3OTRiNDFi LTQ3MDUtNDM4MS1hOTZlLTQ2ZGZhYmYzZjI0OS0yMDIxLTAxLTExVDEzOjQ3OjQ3 LjU1NiIsInZlciI6NH0.eyJpc3MiOiJodHRwczovL2V1LWRlLmFwcGlkLmNsb3Vk LmlibS5jb20vb2F1dGgvdjQvODc5NGI0MWItNDcwNS00MzgxLWE5NmUtNDZkZmFi ZjNmMjQ5IiwiZXhwIjoxNjExNjcyNDQ4LCJhdWQiOlsiZDEyZTMzNzUtZmVlMS00 YjM1LTk1Y2QtZGYwM2VlMjAxM2Q2Il0sInN1YiI6ImM5OTE3OThlLTI0MDItNDI5 MS04NDAwLWUxMzg3N2NiYmJiNiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhbXIi OlsiY2xvdWRfZGlyZWN0b3J5Il0sImlhdCI6MTYxMTY2ODg0OCwidGVuYW50Ijoi ODc5NGI0MWItNDcwNS00MzgxLWE5NmUtNDZkZmFiZjNmMjQ5Iiwic2NvcGUiOiJv cGVuaWQgYXBwaWRfZGVmYXVsdCBhcHBpZF9yZWFkdXNlcmF0dHIgYXBwaWRfcmVh ZHByb2ZpbGUgYXBwaWRfd3JpdGV1c2VyYXR0ciBhcHBpZF9hdXRoZW50aWNhdGVk IGV4ZWN1dGUgcGF5bWVudHMifQ.Jj_e4SffuGstgJNXQGkpU7u4owdXgjg-FdOxK _8Z9Uv9o3yH_h1grtKwnZrxLqTIITBROjvw_jJFYbPxXn8xZH0hQz8cMmBySMvpD 2c-U8UDxhgHUBwTdMyxNYgUNDadokCf-0A-wvyp0wFngepP6J_KLJrJPkh8vogNn njbisDXjBsCGEqeBpUtlALdmLD41B46sXydZkPUOOlQcnSvwW5LZdLidTY9SKDLI qGAciuMgUA47058fPnipYHjaNK3aLUaX7KVTpBaKBi9zQUHkmRvyiwxzSD32AZXv 5dbm7gmvPzuUshHArdyfJCtZmAv2xMNfQC979DaWQIraPhcwg === we have the jose header ' "ver": 4' which results in the following error === [request][172.30.124.139] gtid(b799ce6c601036ea000046b1): Invalid type 'number (4)' detected on method invocation. Method name: setProtected; Parameter index: 1; Expected type: string 20210126T153611.245Z [apiconnect][0x87e00050][crypto][error] apigw(apiconnect): tid(18097)[request][172.30.124.139] gtid(b799ce6c601036ea000046b1): The input data is not a valid JWT. ===== understandable this is problematic in a validate policy as we can't control the incoming token. To reproduce have the token above validated against the following JWK with an apic validate policy or GWS === { "keys": [ { "kty": "RSA", "use": "sig", "n": "ALwt_NNlrMPSUZtn6tWF_abxlqcVO6HsP12GOc3OHkSvFZ21cZ2pIuxlI_opMWo Zx3_HPAjXYYaJhOI1VmSePV7DdMsj5g1GwUHqVEKHs-OJrjf-6U46J5zTCsdTuSi XL9WJ61NgttKtH_UFj7yuKTSxFCjoaeSY4qcDEGBWw1Oc9FGDgdGE6zIOU3qXPU8 yWkxi9CtXmdkKMvfN6H-lFUoBF8WQGV4bnbtK8Q9gHqYJ3-IOFCORqVdgi96QAhM YsyQMnVCr8zXpIfrrwSOe_NyOEOYgDww4UzMOEqYjPo9ASwAmbyYJPj4sSkNWw1h L_J05riDKI6OcjZYdCuREzP0", "e": "AQAB", "kid": "appId-8794b41b-4705-4381-a96e-46dfabf3f249-2021-01-11T13:47:47. 556" } ] } =====
Local fix
Problem summary
A JWT token which has a non string value will fail validation. For Example: Header "ver": 4 Will result in error: Invalid type 'number (4)' detected on method invocation. Method name: setProtected; Parameter index: 1; Expected type: string
Problem conclusion
JWS and JWE will now support arbitrary protected headers with primitive values (i.e., string, number or boolean). Protected headers with explicitly typed values named in the RFC 7515 will still be constrained. Fixed In: 10.0.1.3
Temporary fix
Use string values only in JWT Tokens.
Comments
APAR Information
APAR number
IT35990
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
A0X
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-02-22
Closed date
2021-03-29
Last modified date
2021-03-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
RA0X PSY
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateways"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A0X"}]
Document Information
Modified date:
30 August 2021