IT35990: VALIDATION OF TOKENS WITH NON STRINGS IN THE JWT HEADER FAIL

Fix packs for DataPower Gateway version 10.0.1.x

APAR status

• Closed as program error.

Error description

• When a JWT has a non string value in it's JOSE headers the
  token doesn't validate
  I.e. In the token below
  ===
  eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFwcElkLTg3OTRiNDFi
  LTQ3MDUtNDM4MS1hOTZlLTQ2ZGZhYmYzZjI0OS0yMDIxLTAxLTExVDEzOjQ3OjQ3
  LjU1NiIsInZlciI6NH0.eyJpc3MiOiJodHRwczovL2V1LWRlLmFwcGlkLmNsb3Vk
  LmlibS5jb20vb2F1dGgvdjQvODc5NGI0MWItNDcwNS00MzgxLWE5NmUtNDZkZmFi
  ZjNmMjQ5IiwiZXhwIjoxNjExNjcyNDQ4LCJhdWQiOlsiZDEyZTMzNzUtZmVlMS00
  YjM1LTk1Y2QtZGYwM2VlMjAxM2Q2Il0sInN1YiI6ImM5OTE3OThlLTI0MDItNDI5
  MS04NDAwLWUxMzg3N2NiYmJiNiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhbXIi
  OlsiY2xvdWRfZGlyZWN0b3J5Il0sImlhdCI6MTYxMTY2ODg0OCwidGVuYW50Ijoi
  ODc5NGI0MWItNDcwNS00MzgxLWE5NmUtNDZkZmFiZjNmMjQ5Iiwic2NvcGUiOiJv
  cGVuaWQgYXBwaWRfZGVmYXVsdCBhcHBpZF9yZWFkdXNlcmF0dHIgYXBwaWRfcmVh
  ZHByb2ZpbGUgYXBwaWRfd3JpdGV1c2VyYXR0ciBhcHBpZF9hdXRoZW50aWNhdGVk
  IGV4ZWN1dGUgcGF5bWVudHMifQ.Jj_e4SffuGstgJNXQGkpU7u4owdXgjg-FdOxK
  _8Z9Uv9o3yH_h1grtKwnZrxLqTIITBROjvw_jJFYbPxXn8xZH0hQz8cMmBySMvpD
  2c-U8UDxhgHUBwTdMyxNYgUNDadokCf-0A-wvyp0wFngepP6J_KLJrJPkh8vogNn
  njbisDXjBsCGEqeBpUtlALdmLD41B46sXydZkPUOOlQcnSvwW5LZdLidTY9SKDLI
  qGAciuMgUA47058fPnipYHjaNK3aLUaX7KVTpBaKBi9zQUHkmRvyiwxzSD32AZXv
  5dbm7gmvPzuUshHArdyfJCtZmAv2xMNfQC979DaWQIraPhcwg
  ===
  we have the jose header
  ' "ver": 4'
  which results in the following error
  ===
  [request][172.30.124.139] gtid(b799ce6c601036ea000046b1):
  Invalid type 'number (4)' detected on method invocation. Method
  name: setProtected; Parameter index: 1; Expected type: string
  20210126T153611.245Z [apiconnect][0x87e00050][crypto][error]
  apigw(apiconnect): tid(18097)[request][172.30.124.139]
  gtid(b799ce6c601036ea000046b1): The input data is not a valid
  JWT.
  =====
  understandable this is problematic in a validate policy as we
  can't control the incoming token.
  To reproduce have the token above validated against the
  following JWK with an apic validate policy or GWS
  ===
  {
  "keys": [
    {
     "kty": "RSA",
     "use": "sig",
     "n":
  "ALwt_NNlrMPSUZtn6tWF_abxlqcVO6HsP12GOc3OHkSvFZ21cZ2pIuxlI_opMWo
  Zx3_HPAjXYYaJhOI1VmSePV7DdMsj5g1GwUHqVEKHs-OJrjf-6U46J5zTCsdTuSi
  XL9WJ61NgttKtH_UFj7yuKTSxFCjoaeSY4qcDEGBWw1Oc9FGDgdGE6zIOU3qXPU8
  yWkxi9CtXmdkKMvfN6H-lFUoBF8WQGV4bnbtK8Q9gHqYJ3-IOFCORqVdgi96QAhM
  YsyQMnVCr8zXpIfrrwSOe_NyOEOYgDww4UzMOEqYjPo9ASwAmbyYJPj4sSkNWw1h
  L_J05riDKI6OcjZYdCuREzP0",
     "e": "AQAB",
     "kid":
  "appId-8794b41b-4705-4381-a96e-46dfabf3f249-2021-01-11T13:47:47.
  556"
    }
  ]
  }
  =====
  

Local fix

Problem summary

• A JWT token which has a non string value will fail validation.
  
  For Example:
  Header "ver": 4
  Will result in error:
  Invalid type 'number (4)' detected on method invocation. Method
  name: setProtected; Parameter index: 1; Expected type: string
  

Problem conclusion

• JWS and JWE will now support arbitrary protected headers with
  primitive values (i.e., string, number or boolean). Protected
  headers with explicitly typed values named in the RFC 7515 will
  still be constrained.
  
  Fixed In: 10.0.1.3
  

Temporary fix

• Use string values only in JWT Tokens.
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  DATAPOWER

• Fixed component ID

  DP1234567

Applicable component levels

• RA0X PSY

     UP