Skip to main content

OIDC JSON Web token signature verification - Demo by a maven web application

What is JSON Web Token and when its needed?
It is a self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed and encrypted to also provide secrecy between parties (Signed Tokens - Integrity and Encrypted Tokens - Hide).
JWT needs for:
  • Authentication - Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.
  • Information Exchange - Using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.
JWT Structure:
In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:
  • Header
  • Payload
  • Signature
Therefore, a JWT typically looks like the following. [xxxxx.yyyyy.zzzzz]

 Header
The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA.
Then, this JSON is Base64Url encoded to form the first part of the JWT.

 Payload
The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
Signature
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

 Why we need signature?
The signature is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.

 JWT signature creation and varification flows:

How to verify the signature in programmatic way.
Here, I have wrote a button click function which call the rest function ('/verify'). 

@RequestMapping("/verify")
    public RedirectView verify() {
        AppRestVerifier app = new AppRestVerifier();
        if(app.validateJWTSignature(this.id_token))
            this.msgVerify = "JWT Verified";
        else
            this.msgVerify = "JWT Verification Failed";
        return viewHomePage();
    }

I have created a Java class AppRestVerifier to validate the signature. In-order to validate we need to have the certificate of the created application (OIDC_App). Auth0 automatically generate the certificate for the registering application. 
So, we can download that certificate and convert it to '.jks' file formate which can be used inside the program.  

    public boolean validateJWTSignature(String jwt)
    {
        try{
            RSAPublicKey publicKey = null;
            String keyfile  = "oidcapp.jks";
            String storepass = "abc123";
            String alias = "oidc";

            InputStream file = this.getClass().getClassLoader().getResourceAsStream(keyfile);
            KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
            keystore.load(file, storepass.toCharArray());
    
            // Get certificate of public key
            Certificate cert = keystore.getCertificate(alias);
            
            // Get public key
            publicKey = (RSAPublicKey) cert.getPublicKey();
            
            // Received JWT
            String signedJWTAsString = jwt;
    
            SignedJWT signedJWT = SignedJWT.parse(signedJWTAsString);
    
            JWSVerifier verifier = new RSASSAVerifier(publicKey);
    
            return signedJWT.verify(verifier);
        }
        catch(Exception ex){
            System.out.println(ex);
        }
        return false;
    }
The output we can get in this way is, whether the signature is valid or not.

Comments

Post a Comment

Popular posts from this blog

What is Google Hacking?

As an ethical hacker we have need to follow some general steps to be a good ethical hacker. Such that steps/stages can be listed as follows. But these steps are not a defined one. We can change them according to our needs. 1    . Reconnaissance – Gathering the information which are having the security vulnerability. 2   . Scanning - Examine/explore a target machine/network for the vulnerability that can be make use to go inside. 3    .Gaining Access – After scanning process make use of the vulnerability and attempt to move inside to the system to exploit. 4    . Maintaining Access – After moved into the machine/network hacker needs to make some backdoor to gain the access again. 5    . Clearing Tracks (unethical) – Clearing the traces of all the activities what they done in their hacking process. 6    . Reporting – End of the ethical hacking process in order to make some notes on the findings, things done in the hacking...
Post a Comment
Read more

Introduction to OAuth

What is OAuth? OAuth is a protocol that allows distinct parties to share information and resources in a secure and reliable manner. OAuth needs to consider the 2 concept to provide the informations in secure and reliable manner. They are authentication and authorization. Authentication -> Validating the person/system who need the information Authorization -> After authentication what action can be performed by the person/system. By maintaining this 2 concept OAuth is providing federated identity and delegated identity. Federated identity -> User can use his/her one application account to login another application. [Example: If a user having Facebook account then he can login Instagram with the same login as Facebook] Delegated identity -> One service can access another service resources. [Example: When creating a Facebook account with eMail address that will suggest the contacts in the eMail to add as friends] Without OAuth With OAuth User ...
Post a Comment
Read more

Hack Windows 2000 by Kali Linux through the Metasploit Framwork

It is a sample documentations to record what I have did to hack Windows 2000 by Kali Linux. ©IT Today
Post a Comment
Read more