JWT Auth - Anyone using it for recipes?

[dargs]

Hello!

Our event booking system is moving to the cloud, and I'm trying to suss out using JWT Authentication..

The docs point towards existing libraries - https://jwt.io/libraries

And I'm also trying to make a supplied Postman script work - https://github.com/UngerboeckAPI/PostmanJwt

Never used it before, and struggling to get my environment vars working I think.. These are what I enter to get it working in the api help section (that has its own JWT auth key generator)...

Key
Secret
APIUserID

Anyhoo, anyone already using JWT in their recipes?

[morimoriysmoon]

@dargs

1. Add dependencies to build.gradle of nodel-framework and build.

    // JWT features
    implementation 'io.jsonwebtoken:jjwt-api:0.11.5'
    runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.5'
    runtimeOnly 'io.jsonwebtoken:jjwt-orgjson:0.11.5'
    // Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
    //runtimeOnly 'org.bouncycastle:bcprov-jdk15on:1.70'

2. Refer to sample code. It is to get access token with client secret.

from java.security import KeyFactory
from java.security.spec import PKCS8EncodedKeySpec
from io.jsonwebtoken import Jwts
from io.jsonwebtoken import SignatureAlgorithm
from org.apache.commons.codec.binary import Base64
from org.apache.commons.codec.binary import Hex


def get_json_web_token(rsaPrivateKeyString, clientId, tenantId, certHexThumbprint):

      aBase64 = Base64()

      PRV_KEY_HEADER = "-----BEGIN PRIVATE KEY-----"
      PRV_KEY_FOOTER = "-----END PRIVATE KEY-----"

      # get PrivateKey instance
      rsaPrivateKeyString = rsaPrivateKeyString.replace(PRV_KEY_HEADER, "")
      rsaPrivateKeyString = rsaPrivateKeyString.replace(PRV_KEY_FOOTER, "")

      keySpec = PKCS8EncodedKeySpec(aBase64.decode(rsaPrivateKeyString))
      kf = KeyFactory.getInstance("RSA")
      privateKey = kf.generatePrivate(keySpec)

      # prepare x5t header
      decodedHex = Hex.decodeHex(certHexThumbprint)  # array.array('b', [...])
      encodedHexB64 = aBase64.encodeBase64(decodedHex)  # array.array('b', [...])
      x5t = encodedHexB64.tostring()  # No good with str(encodedHexB64)

      guid = str(uuid.uuid4())
      audience = "https://login.microsoftonline.com/%s/oauth2/v2.0/token" % tenantId
      return Jwts.builder() \
        .setHeaderParam("alg", "RS256").setHeaderParam("typ", "JWT").setHeaderParam("x5t", x5t) \
        .setAudience(audience) \
        .setExpiration(DateTime.now().plusSeconds(30).toDate()) \
        .setIssuer(clientId) \
        .setId(guid) \
        .setNotBefore(DateTime.now().toDate()) \
        .setSubject(clientId) \
        .setIssuedAt(DateTime.now().toDate()) \
        .signWith(privateKey, SignatureAlgorithm.RS256) \
        .compact()

[dargs]

Hi @morimoriysmoon,

So i've just managed to build nodel with gradle and the jsonwebtoken dependences! Hurray!

But I'm a bit lost with your example, its gone way over my head when I try to compare it to my JWT requirements..

Any chance you have time do assist me rewrite this example javascript function into jython ?

From: here

function constructJWT(apiUserId, apiUserKey, apiUserSecret) { const header = { "alg": "HS256", "typ": "JWT" };
`

        const claimSet =
        {
            "iss": apiUserId,
            "key": apiUserKey,
            "exp": (KJUR.jws.IntDate.get("now") + 60).toString(), //Adds 60 seconds expiration to the Unix Epoch time
            "iat": KJUR.jws.IntDate.get("now").toString()
        }

        console.log(`header: ${JSON.stringify(header)}`);
        console.log(`claim set: ${JSON.stringify(claimSet)}`);

        var jwt = KJUR.jws.JWS.sign(null, header, claimSet, apiUserSecret);

        console.log('jwt is ' + jwt);

        return jwt;

`

[dargs]

Although I've found this- https://github.com/jwtk/jjwt#jws-create
In the io.jsonwebtoken repo.. So I'm reading thought that to see if that helps me out.

[morimoriysmoon]

Hi @dargs
I think you can start with below. But I am not sure about "key" field on paylod(=claimSet).

import io.jsonwebtoken.Jwts
import io.jsonwebtoken.SignatureAlgorithm
import io.jsonwebtoken.security.Keys
import javax.crypto.SecretKey

// https://en.wikipedia.org/wiki/JSON_Web_Token

// https://github.com/jwtk/jjwt#jws-create-key-secret
// A raw (non-encoded) string (e.g. a password String):
SecretKey key = Keys.hmacShaKeyFor("apiUserSecret".getBytes(StandardCharsets.UTF_8));

String jws = Jwts.builder()
        // header
        .setHeaderParam("alg", "HS256") // Message authentication code algorithm
        .setHeaderParam("typ", "JWT") // Token type
        // payload
        .setIssuer("apiUserId") // "iss", Issuer
        .setExpiration(DateTime.now().plusSeconds(30).toDate()) // "exp", Expiration Time
        .setIssuedAt(DateTime.now().toDate()) // "iat", Issued at
        .setId("apiUserKey") // Not sure, "jti", JWT ID
        // sign
        .signWith(key, SignatureAlgorithm.HS256)
        .compact();

[dargs]

thanks @morimoriysmoon ! Just updating my old 2015 macbookpro at home so I can run gradle and try building nodel-framework !

I think it makes sense, although not sure in my case where I'll put my Key,Secret and API User ID, but I'll cross that bridge when I get to it

[justparking]

Hey @dargs ,

FYI - there is a document here which describes how you might go about building nodel:

https://github.com/museumsvictoria/nodel/blob/master/BUILDING.md

Hopefully you have success.

Also, FYI the new Office 365 Calendar recipe which we'll release soon also happens to require a JWT library so a future official build will likely include that dependency anyway.

[dargs]

Got it working, after trying lots of different things !

from org.joda.time import DateTime
from org.joda.time import DateTimeZone
from io.jsonwebtoken import Jwts
from io.jsonwebtoken import SignatureAlgorithm
from org.apache.commons.codec.binary import Base64
from org.apache.commons.codec.binary import Hex

def get_json_web_token(apiUserKey, apiUserId, apiUserSecret):
  console.log('[get_json_web_token] called')
  aBase64 = Base64()
  encodedHexB64 = aBase64.encodeBase64(apiUserSecret)  # array.array('b', [...])  
  secretkey = encodedHexB64.tostring()  # No good with str(encodedHexB64)

  return Jwts.builder() \
    .setHeaderParam("alg", "RS256").setHeaderParam("typ", "JWT") \
    .setExpiration(DateTime.now().plusSeconds(90).toDate()) \
    .setIssuer(apiUserId) \
    .setNotBefore(DateTime.now().toDate()) \
    .setIssuedAt(DateTime.now().toDate()) \
    .claim("key",apiUserKey) \
    .signWith(SignatureAlgorithm.HS256,secretkey ) \
    .compact()