Generating RSA JWT in Postman Pre-request script

Question

I have the following pre-request script that i am using to attempt to generate a JWT for Google Api - Google uses the RS256 encryption which is where I think I am getting stuck - the CryptoJS seems to support HmacSHA256 only - Any advise would be helpful:

Here's my pre-request script from Postman:

function base64url(source) {
    // Encode in classical base64
    encodedSource = CryptoJS.enc.Base64.stringify(source);

    // Remove padding equal characters
    encodedSource = encodedSource.replace(/=+$/, '');

    // Replace characters according to base64url specifications
    encodedSource = encodedSource.replace(/\+/g, '-');
    encodedSource = encodedSource.replace(/\//g, '_');

    return encodedSource;
}

function addIAT(request) {
    var iat = Math.floor(Date.now() / 1000) - 100;
    data.iat = iat;
    return data;
}

function addEXP(request) {
    var exp = Math.floor(Date.now() / 1000) + 3300;
    data.exp = exp;
    return data;
}


var header = {
    "alg": "RS256",
    "typ": "JWT",
    "kid": "xxx"
};

var data = {
     "iss": "xxx@iam.gserviceaccount.com",
     "aud": "https://oauth2.googleapis.com/token",
     "scope": "https://www.googleapis.com/auth/cloud-platform"

};

data = addIAT(data);
data = addEXP(data);

var privateKEY = "-----BEGIN PRIVATE KEY-----xxxxxxxxxxxxxxxLcGGNkna2Y3URoT0vDNneqzaasmJk4JZ97BcFLOulTihA49z8zmQKBgQDKX9AWS88cnfyiXSxtRNUFYvN4SzMDTJ1o59Gm6Sk77t7Ylfm+8PKA00SQeN7FuU/cbU4PkbAyzcp7eAGE3KXoLC/pWQ14srWGAsQkti1PmBo400ajRQReJPs3XxIl3yl4swlRgn+w9x6xy3CRnWrZRQSxRrtdDkBJcp7Lml+4mwKBgQCCeiTsktlMTOy9LqxOUMh6Lt7Z5jceNSwusW8Z4YVsewiSsRezufLBRcTywifgPOyUTP3S7etEfW2CKF0smpM0drfxd/3Ic7oKr7ESY5zwNcV7Q3NUGxaqGy8yoxEhKkLsYkOzYUdyNyfJd5Sh8yq7ICrX7/UGkVLOi44VrdaluQKBgC3kmH3V5zvoH/h6BK8q4tv72pa3BvSClVfK6mJdkbpDq0mWiTJh1bydLHlOz8YrBg9IwmEJetmqjXZ+emm01/LUwnC6fzGV5VBkpDJnFdNs/NVSJDy2VA09ebLO3oC0IOV8RGq1m1t4Tv+m0PpUpnxrCGtjTO4HY1DEq3okofxtAoGABjq4QegVIlImU5LSAEKgnUiwA1CHGW3+ZzfCczAv2VRfk/DSlYLmsxLRIfjsCVEo79NiVGyIsKmt5TJRxVLXp++ydKCEN/YRrjqEFgHNoH0rDCuV/IKAeN17/TYKphuebSX6mVsfo7GXI1kSoGJkDDnPKR4peiIF/YC9BTqQgIs=-----END PRIVATE KEY-----"

var secret = 'myjwtsecret';

// encode header
var stringifiedHeader = CryptoJS.enc.Utf8.parse(JSON.stringify(header));
var encodedHeader = base64url(stringifiedHeader);

// encode data
var stringifiedData = CryptoJS.enc.Utf8.parse(JSON.stringify(data));
var encodedData = base64url(stringifiedData);

//encode privatekey
//var stringifiedPrivatekey = CryptoJS.enc.Utf8.parse(JSON.stringify(privateKEY));
//var encodedPrivatekey = base64url(stringifiedPrivatekey);

// build token
var token = encodedHeader + "." + encodedData

// sign token
//var signature = CryptoJS.HmacSHA256(token, secret);
//signature = base64url(signature);
var signature = CryptoJS.RS256(token , privateKEY);
signedToken = base64url(signature);

var jwt = token + "." + signedToken


postman.setEnvironmentVariable("payload", jwt);

Answer 1

You can go under Authorization tab in your collection and select:

JWT: Bearer
Algorithm: RS256
Private Key: {{SECRET_KEY}} (Load your file directly or set it as a collection variable)
Payload: {{PAYLOAD}} (Set this value in Pre-request Script)

Then in your Pre-request Script tab:

// Load your api key
const apiKey =  pm.collectionVariables.get('API_KEY')

// Common payload params, create the ones you need
const uri = pm.request.url.getPathWithQuery()
const sub = apiKey
const iat = Math.floor(Date.now() / 1000)
const exp = iat + 20

const payload = {
    uri,
    iat,
    exp,
    sub,
}

// Set your payload, don't forget to stringify it
pm.collectionVariables.set("PAYLOAD",JSON.stringify(payload))

You can apply the same logic for JWT Headers

Answer 2

I have found this problem a couple of time in my projects so I decide to create an easy way to do this, here https://joolfe.github.io/postman-util-lib/ i have publish a ¨library¨ to easy do cryptographic operations like generate jwt, PKCE challenges... in ¨Pre-request¨ and ¨Tests¨ scripts in postman, have a look and contact me if you have any doubts.

Best Regards.