Verify a JWT Signature using a JWKS Object
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-22-2024 06:59 AM
We have a JWT sent to a Scripted REST API endpoint in our SNOW instance. We want to verify the signature of this JWT in the script, but we wont have access in our instance to an uploaded x509 certificate. We only have a JSON Object representing a JSON Web Key (JWK), which we obtain in the same script by calling a public HTTP endpoint, i.e. a JSON Web Key Set (JWKS) URL.
The JWK has "n" (i.e. the modulus) and "e" (i.e. the exponent) properties, which we need to use to verify the signature. Outside of SNOW, there are libraries available to easily perform such verification, but I have yet to find a method to do so in a SNOW Scripted REST API script.
Question: Does anyone know of a possible method to verify a JWT signature using only a JWKS endpoint in a ServiceNow script?
Other related form posts:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-28-2025 06:41 AM
Hi Jared, I'm facing exact same issue. Have you managed to find a solution in your case? Please share if you did. Thanks so much!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-28-2025 04:52 PM
Unfortunately, after several discussions with ServiceNow support, we concluded that (as of the Vancouver release) ServiceNow does not support such functionality via a JWKS URL.
My takeaway from those discussions is that JWT signature verification must be done by using the Key Management Framework's crypto operation for SIGNATURE_VERIFICATION (see: KMFCryptoOperation - Scoped, Global | ServiceNow Developers), and that requires that an x509 certificate corresponding to the JWT signature be uploaded to the ServiceNow instance. That means that if you rotate the keys, you will need to upload a new x509 each time.
