I've created a REST API and I need to validate a JSON Web Signature that is sent from the provider against a public key.
I've attempted to use a number of Forge items to verify the signature against the public key however I always encounter an error.
Public Key Example
"-----BEGIN CERTIFICATE-----\nMIIIMTCCBhmgAwIBAgIUayqvBGb8dzDDj78mIDrQor08Jg0wDQYJKoZIhvcNAQEL\nBQAwTTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxIzAh\nBgNVBAMTGlF1b1ZhZGlzIEdsb2JhbCBTU0wgSUNBIEczMB4XDTIyMTAyNTE2MTIy\nN1oXDTIzMTAyNTE2MDcwMFowgZUxCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJFZGlu\nYnVyZ2gsIENpdHkgb2YxEjAQBgNVBAcMCUVkaW5idXJnaDEhMB8GA1UECgwYTGxv\neWRzIEJhbmtpbmcgR3JvdXAgUExDMTIwMAYDVQQDDClkY2FwaS1ub3RpZmljYXRp\nb25zLXRzdC5sbG95ZHNiYW5raW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP\nADCCAQoCggEBAMVq2JlSXd7E7YLFvCYJtDsg0j7MzHRiOA8jsXXz6TeT5H/hRPk5\no5+2vQWLndfKzhdvDWUwr+8gxGmZXA4R47zjqX6A3QHk+dqGpY2ZP63+VIvCXGSY\nmCFUtqjoYpDjX72CD6ISA7d+e7wFo2XHZYQj8L3/2UAWeATJNaLRO3O7+AcKbVdz\nrP70Wc8lTsqLSB3TCsRveQVMnOF7p7UWH5wac95Nt5+GmE69R253gYL+NsAJ17QB\npd1dGlxHwjx2vc2VGOzcaprm77FH/T9wC4DsBBImUa8w/h3j8xj63q4HmIiAwglR\npEX8x0WhO0AaZmo1d5bPK71u7JJZX7XkYhsCAwEAAaOCA74wggO6MAkGA1UdEwQC\nMAAwHwYDVR0jBBgwFoAUsxKJtalLNbwVAPCA6dh4h/ETfHYwcwYIKwYBBQUHAQEE\nZzBlMDcGCCsGAQUFBzAChitodHRwOi8vdHJ1c3QucXVvdmFkaXNnbG9iYWwuY29t\nL3F2c3NsZzMuY3J0MCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5xdW92YWRpc2ds\nb2JhbC5jb20wNAYDVR0RBC0wK4IpZGNhcGktbm90aWZpY2F0aW9ucy10c3QubGxv\neWRzYmFua2luZy5jb20wWwYDVR0gBFQwUjBGBgwrBgEEAb5YAAJkAQEwNjA0Bggr\nBgEFBQcCARYoaHR0cDovL3d3dy5xdW92YWRpc2dsb2JhbC5jb20vcmVwb3NpdG9y\neTAIBgZngQwBAgIwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDoGA1Ud\nHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2c3Ns\nZzMuY3JsMB0GA1UdDgQWBBTUI6B5gpGhxDH8I4BbjUywd70ejzAOBgNVHQ8BAf8E\nBAMCBaAwggH4BgorBgEEAdZ5AgQCBIIB6ASCAeQB4gB3AG9Tdqwx8DEZ2JkApFEV\n/3cVHBHZAsEAKQaNsgiaN9kTAAABhA/z0n0AAAQDAEgwRgIhAPMJbls3bHxa379z\nyg8glZFYFC4BP15Y5dEUzFfnTtykAiEAtg0Sv5UQclULsz1Mm6FfZm+R6vUI6nTt\ncYfaN+lsFpEAdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAYQP\n89J+AAAEAwBHMEUCIHcNOlc11pLPU0aIqD5Nxf3Jv5GgCvErJgEXZC16pK4KAiEA\n9KD1TjljoFik+kNIX0WlcqnTU/BfEdKIEKWw+0Gc5vIAdwBVgdTCFpA2AUrqC5tX\nPFPwwOQ4eHAlCBcvo6odBxPTDAAAAYQP89OCAAAEAwBIMEYCIQCsrNPlvhb52/ch\n3Z5XRCgRZA3anvGV0+DKaHiZMzSb7gIhANv5efe7uzZXDBtssEf2QLVDb0FtSspv\nyFMqqc8/KEVAAHYAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGE\nD/PTtAAABAMARzBFAiEAhGJNtvq/4CTWZR0l9hOVBoUYKJc8XHHXdjtYLxzBLhMC\nIC4D16NuUYjFDgj2umH8k6vB4xJ1gc3g4iZHlZ93s31CMA0GCSqGSIb3DQEBCwUA\nA4ICAQCqXqUYqk4EwWcFhTvDNRIGwhRWizLIaXNn9QL9KfADDDN9EpPHUYGRxoTU\ngd+YFl9syDfDBVhBJ5ZLjPtur/8ijUN05jEebdAdjTfP6bBhXkPNrVRSsRit3q4H\npVW6BPphmtrrNtebzA2g4Sicrsf6/wx8XrN+qOOYo9NJqInN1ALSjQ0GGxoWwgTS\niIt1XQeELBHtZXSXgh24RowqnQGO3uHWHYCpsNK0mbe3/0hQCn5Bk3TGWecTtHjC\nxUevgWpRKkrwpRJo7xWofkw9mNyCxDNNbUlnSruWCKNlwxMSxsJXJuEd5/jo7PAK\nuT0EHxJcGKzgXy/HAnUbhmKRuJCP5s/6oHrztEz3IZSJAku5XWaxdpt8dK0tCdk7\n1JOWYv1/jOpFfFwRN0cfXSDJ0r0Hqiisv385eBxQ6Bx7zcjzEcF/wveuQebcKKpG\nsfjVirORookLyeCp15tSsjcwLHK5nhPqs+9/zWImPs59v1fSFQKtq8+R0SLQvfD3\n6pXYOAIjCTG0cB948wnafwQHCwELRp0S/IhMWyofLAfBN6gq0YGDSjo6itAzX8ug\n9cD+4RNrYiBcTbGgTt10YSAMHWWG1O2l/DVjWbw8o7Jj8i9TTPaw1kSgjHZbb3sb\nfYgULnK83EdTJZI+NP1ILJ/EkxJI0k50OL76XZlEJUiKPF+xpw==\n-----END CERTIFICATE-----"
Example of JWS
IM8oOo7/e83cWwD1S8nOG/RJYwisViQmVq/5eoq7pbdPULtw/hax2xuqS5vwWdc18TxQ1c0iIbdW8KWfrFWAERHHaYju+97SM8MCn3j1yEvGZaAruftkEEcLooAO9JQ3KnaAKqMuytOiPaZ2MQOOqXhezmg1SyrwNeYLQDZpVRZK9tTII6pyNnB4OlcGaz5Ikjpya4EbnS2wdv3NUAoty77nJsul6WUmIZZ31QKn0FpTw3MA6HFlcXlF/JfoCoVdaUG1qEu9XuhGYLzlw3VbbRpA5q8HS7zDqg4n8z7fVzMkPhOokiivtalYJFY3n74174zbPThA1g/aLBDxdw/Jig==
@Craig Merrick
Looking at the example you provided, it's not a valid JWS.
A JWS is comprised of 3 sections separated by a period "." :
Example:eyJhbGciOiJIUzI1NiJ9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA0KICAibmFtZSI6ICJBbmlzaCBOYXRoIiwNCiAgImlhdCI6IDE1MTYyMzkwMjINCn0.9tFLrurxXWKBDh317ly24fP03We-uzSZtPf7Yqy_oSw
Unfortunately, the current implementation of the CryptoAPI does not support JWS signature validation. As far as I'm aware the JWT component also only works with JWT, not JWS.Regards,
This is an excerpt from the API Services Tech Guide.
This is what us rcvd in the header and the wording below indicates that this is just a Signature (and maybe not a full JWT?). -
'IM8oOo7/e83cWwD1S8nOG/RJYwisViQmVq/5eoq7pbdPULtw/hax2xuqS5vwWdc18TxQ1c0iIbdW8KWfrFWAERHHaYju+97SM8MCn3j1yEvGZaAruftkEEcLooAO9JQ3KnaAKqMuytOiPaZ2MQOOqXhezmg1SyrwNeYLQDZpVRZK9tTII6pyNnB4OlcGaz5Ikjpya4EbnS2wdv3NUAoty77nJsul6WUmIZZ31QKn0FpTw3MA6HFlcXlF/JfoCoVdaUG1qEu9XuhGYLzlw3VbbRpA5q8HS7zDqg4n8z7fVzMkPhOokiivtalYJFY3n74174zbPThA1g/aLBDxdw/Jig== '
Does anyone know how to validate just the signature if that's even what this is?
Hi ,
Hope this component will work for you https://www.outsystems.com/forge/component-documentation/1853/jwt/0
I tried with your signature its working fine both encode and decode
https://joaoalmeida.outsystemscloud.com/JWT_Demo/GenerateToken_PEM.aspx?
Hope it will work
Thanks
I’ve tried this component already. Would you mind sharing an example of how you set it up?
Would be a massive help
Hi you can test with this URL ,
you can add your custom claims it will generate PDF based on your signature it will encode it .
If its work you can download the sample app , can verify how its works
I’m not really sure what this is supposed to be showing me. Sorry, I’m new to JWT’s and API’s.
The third party only appears to be sending the signature and that is what needs to be compared to the public key for verification.
The components I have been using tend to have input parameters for ‘Signature’ and ‘Public Key’ and I’ve just aligned these fields with the data that I’m rcving from the third party sending us the request as shown in my first screen shot.
Hi,
i have written an article here https://medium.com/itnext/protect-outsystems-rest-apis-using-openid-connect-87a2ac7575c1 that includes a description and a link to a sample application on how to validate and decode a Json Web Token using the JWT component mentioned above. Also this uses public keys from a Key server you can modify the sample to use a local public e.g. stored in site property.
Hope that helps,
Stefan