Decode json web token failure using signing key
search cancel

Decode json web token failure using signing key


Article ID: 259686


Updated On:


CA API Gateway


The policy contains the following flow: 

1. Validate JSON access tokens issued by OKTA.

2. Retrieving the signing key from the authorization server  API 

3. Decode the JWT according to the documentation


If set assertion validation ‘none’ and just decode the JWT, it parses and get the expected output




payload:{"ver":1,"jti":"AT.EJU-Pq_RklWRsuvViwTgfAghegBOBAYgi6-h5-beQEc","iss":"","aud":"api://default","iat":1674675150,"exp":1674678750,"cid":"0oa7o0opseBIUZSu25d7","uid":"00u7nuwfwpfCBiH145d7","scp":["openid","testscope"],"auth_time":1674675147,"sub":"[email protected]"},





When setting validation to “use recipient key from context variable” and key type “JSON Web Key”  with context variable holding the JWK as a string:

Decode / validation fails.  The log shows the error messages:

2023-01-25T20:01:35.587+0000 WARNING 361 com.l7tech.external.assertions.jwt.server.ServerDecodeJsonWebTokenAssertion: 10805: JOSE Error: Error parsing JSON: null

2023-01-25T20:01:35.587+0000 WARNING 361 com.l7tech.external.assertions.jwt.server.ServerDecodeJsonWebTokenAssertion: 10802: Could not find the specified private key.

If using key type “JSON Web Key Set” and supplying context variable ${decode_result.header.kid}  as Key ID

The log error message shows:  "ServerDecodeJsonWebTokenAssertion: 10812: Key ID is required for retrieval of key from a JSON Web Key Set."



Release : 10.1


For the policy's Decode Json Web Token assertion: The source payload has KID in the header and The Recipient Key is a JWKS.

The Key Type should be "JSON Web Key Set" instead of "JSON Web Key". The Key ID field is required for JWKS.

The Decode assertion will try to convert the context variable from the Key ID field to a kid value.

If it is empty, the assertion will fail with the error message "Key ID is required for retrieval of key from a JSON Web Key Set."

In order to get the Key ID, it requires the Decode Json Web Token Assertion with Validation Method set to "None" to extract the header and payload and put the value into a context variable for the second assertion. 

This is the expected behavior but it's inconvenient for the user because it should be able to extract it internally without another Decode assertion.



Run the Decode Json Web Token assertion TWICE – once to decode only (validation = none) and THEN to validate - using the same token, it passes.  It appears that the KID cannot be extracted from the JWT in the same pass when it is referenced in the decode.