External libraries for JWT encryption and protecting the Private Key

Hi,

In our team we work extensively with Adobe.io and Experience Cloud API’s
We’ve recently come across a library that seems to meet our needs when it comes to encrypting a JWT token. For this we are using the Pre-request Script capability of Postman and this library jsrsasign - cryptography library in JavaScript
Now I haven’t done a security audit on this library but I am conscious that the private key we are using could in fact be sent to a third party, obviously not good.
So my question is: Does Postman support RS256 encryption so we don’t have to rely on external libraries?
Does anyone else have this concern when using external libraries?
Cheers

Hello @robsay, Welcome to the community :tada:

Postman supports various external libraries including crypto-js which can be used in pre-request scripts and tests for encryption.

All the best :+1:

hi @robsay ,
I would love to see how you are creating the JWE using jsrsasign. I struggled to create JWE in past using any library so if now you use something else then you can share that too.
Thank You,
Anuj

// Tips from: https://github.com/kjur/jsrsasign/issues/199
// https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWT-generation

var navigator = {}; //fake a navigator object for the lib
var window = {}; //fake a window object for the lib
eval(pm.globals.get("jsrsasign_js")); //import javascript jsrsasign


var header = {
	"alg": "RS256"
};

var data = {
	"exp": Math.round(87000 + Date.now()/1000),
	"iss": pm.environment.get("IMS_ORG"),
	"sub": pm.environment.get("TECHNICAL_ACCOUNT_ID"),
	"aud": "https://" + pm.environment.get("IMS")+"/c/"+pm.environment.get("API_KEY")
};

meta_scopes = pm.environment.get("META_SCOPE");
if(typeof(meta_scopes) == "string") {
    meta_scopes = meta_scopes.split(',');
}
meta_scopes.forEach(function(scope){
    var meta_scope = "https://" + pm.environment.get("IMS")+"/s/"+
                     scope;
    data[meta_scope] = true;
});

var secret = pm.environment.get("PRIVATE_KEY");

if (!secret) {
    console.log("Ensure the Private Key is added to both INITIAL and CURRENT VALUES in the active Postman environment PRIVATE_KEY variable.");
}

console.log(data);

var sHeader = JSON.stringify(header);
var sPayload = JSON.stringify(data);
var sJWT = KJUR.jws.JWS.sign("RS256", sHeader, sPayload, secret);

console.log(sJWT);

pm.environment.set("JWT_TOKEN", sJWT);

Thank you @robsay for taking time to respond. I see that you are only using the signed JWT although I am looking for encrypted JWT or JWE (RFC 7516: JSON Web Encryption (JWE))

Hi @anuj_kumar ,

The JWT get signed(encrypted) here
var sJWT = KJUR.jws.JWS.sign(“RS256”, sHeader, sPayload, secret);
with the private key.
Have you seen : Tutorial for JWS generation · kjur/jsrsasign Wiki · GitHub ?

As for JWE my question was only regarding JWT not sure how those two relate.
Kind Regards
Robert

The thing is, JWT signing (JWS) & JWT Encryption (JWE) are not same and I am looking for an option to create JWE in postman pre-request script.
If you want to understand the difference, you can find details on both here: Signing and Encrypting with JSON Web Tokens - Security Boulevard

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.