In our team we work extensively with Adobe.io and Experience Cloud API’s
We’ve recently come across a library that seems to meet our needs when it comes to encrypting a JWT token. For this we are using the Pre-request Script capability of Postman and this library jsrsasign - cryptography library in JavaScript
Now I haven’t done a security audit on this library but I am conscious that the private key we are using could in fact be sent to a third party, obviously not good.
So my question is: Does Postman support RS256 encryption so we don’t have to rely on external libraries?
Does anyone else have this concern when using external libraries?
Cheers
hi @robsay ,
I would love to see how you are creating the JWE using jsrsasign. I struggled to create JWE in past using any library so if now you use something else then you can share that too.
Thank You,
Anuj
// Tips from: https://github.com/kjur/jsrsasign/issues/199
// https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWT-generation
var navigator = {}; //fake a navigator object for the lib
var window = {}; //fake a window object for the lib
eval(pm.globals.get("jsrsasign_js")); //import javascript jsrsasign
var header = {
"alg": "RS256"
};
var data = {
"exp": Math.round(87000 + Date.now()/1000),
"iss": pm.environment.get("IMS_ORG"),
"sub": pm.environment.get("TECHNICAL_ACCOUNT_ID"),
"aud": "https://" + pm.environment.get("IMS")+"/c/"+pm.environment.get("API_KEY")
};
meta_scopes = pm.environment.get("META_SCOPE");
if(typeof(meta_scopes) == "string") {
meta_scopes = meta_scopes.split(',');
}
meta_scopes.forEach(function(scope){
var meta_scope = "https://" + pm.environment.get("IMS")+"/s/"+
scope;
data[meta_scope] = true;
});
var secret = pm.environment.get("PRIVATE_KEY");
if (!secret) {
console.log("Ensure the Private Key is added to both INITIAL and CURRENT VALUES in the active Postman environment PRIVATE_KEY variable.");
}
console.log(data);
var sHeader = JSON.stringify(header);
var sPayload = JSON.stringify(data);
var sJWT = KJUR.jws.JWS.sign("RS256", sHeader, sPayload, secret);
console.log(sJWT);
pm.environment.set("JWT_TOKEN", sJWT);
Thank you @robsay for taking time to respond. I see that you are only using the signed JWT although I am looking for encrypted JWT or JWE (RFC 7516: JSON Web Encryption (JWE))
The thing is, JWT signing (JWS) & JWT Encryption (JWE) are not same and I am looking for an option to create JWE in postman pre-request script.
If you want to understand the difference, you can find details on both here: Signing and Encrypting with JSON Web Tokens - Security Boulevard