search cancel

Broadcom API Gateway - Encode JWT Signature Assertion configuration error: (JWT Encode) The complete JWT Header is claiming an unsupported signature type and cannot be used."

book

Article ID: 244088

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Requirements are to sign JSON Web Token with the following signature algorithm:

- ES512

As such, the header includes the following parameters before triggering the `Encode JWT` assertion:
{
  "typ": "JWT",
  "alg": "ES512"
}

However, an error is triggered when Encode JWT Assertion is used:

2022-06-02T22:17:15.123-0700 WARNING 41803 com.l7tech.external.assertions.jsonwebtoken.server.ServerJwtEncodeAssertion: 4304: Assertion configuration error: (JWT Encode) The complete JWT Header is claiming an unsupported signature type and cannot be used.

Does Encode JWT Assertion support ES256/384/512?

Environment

CA API Gateway 10.x

Cause

"Encode JWT" Assertion is now deprecated. In some cases, API Gateway 10.x systems that were upgraded from previous version may show Encode JWT in the assertion palette
However, for API Gateway 10.x the "Encode JSON Web Token" assertion must be used instead. 
Configuring the assertion correctly is crucial for correct functionality.

Resolution

Use Encode JSON Web Token Assertion, which supports ES512 as is built based on the RFC specifics. 

Reference: RFC7518 Section 3.1

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=F70Te00lIzpIWg6931L2pg==

Under the JWS tab, in the Signature Algorithm, select the correct one:

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=oltam2wvOTIdJoLsi3yqZQ==

NOTE: it is important to use the correct Private Key with the Encode JSON Web Token assertion when signing the JWS. 
The key MUST be created with the correct "Key Type" required for ES512 (Elliptic Curve P-521). Here is a key example :

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=7FU8sjZGpyEr1QqsWV9wxA==

Finally, there's no need to manually configure the header, as it will be auto-generated by the assertion when the JWS is signed.