Skip to main content

OIDC JSON Web token signature verification - Demo by a maven web application

What is JSON Web Token and when its needed?
It is a self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed and encrypted to also provide secrecy between parties (Signed Tokens - Integrity and Encrypted Tokens - Hide).
JWT needs for:
  • Authentication - Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.
  • Information Exchange - Using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.
JWT Structure:
In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:
  • Header
  • Payload
  • Signature
Therefore, a JWT typically looks like the following. [xxxxx.yyyyy.zzzzz]

 Header
The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA.
Then, this JSON is Base64Url encoded to form the first part of the JWT.

 Payload
The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
Signature
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

 Why we need signature?
The signature is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.

 JWT signature creation and varification flows:

How to verify the signature in programmatic way.
Here, I have wrote a button click function which call the rest function ('/verify'). 

@RequestMapping("/verify")
    public RedirectView verify() {
        AppRestVerifier app = new AppRestVerifier();
        if(app.validateJWTSignature(this.id_token))
            this.msgVerify = "JWT Verified";
        else
            this.msgVerify = "JWT Verification Failed";
        return viewHomePage();
    }

I have created a Java class AppRestVerifier to validate the signature. In-order to validate we need to have the certificate of the created application (OIDC_App). Auth0 automatically generate the certificate for the registering application. 
So, we can download that certificate and convert it to '.jks' file formate which can be used inside the program.  

    public boolean validateJWTSignature(String jwt)
    {
        try{
            RSAPublicKey publicKey = null;
            String keyfile  = "oidcapp.jks";
            String storepass = "abc123";
            String alias = "oidc";

            InputStream file = this.getClass().getClassLoader().getResourceAsStream(keyfile);
            KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
            keystore.load(file, storepass.toCharArray());
    
            // Get certificate of public key
            Certificate cert = keystore.getCertificate(alias);
            
            // Get public key
            publicKey = (RSAPublicKey) cert.getPublicKey();
            
            // Received JWT
            String signedJWTAsString = jwt;
    
            SignedJWT signedJWT = SignedJWT.parse(signedJWTAsString);
    
            JWSVerifier verifier = new RSASSAVerifier(publicKey);
    
            return signedJWT.verify(verifier);
        }
        catch(Exception ex){
            System.out.println(ex);
        }
        return false;
    }
The output we can get in this way is, whether the signature is valid or not.

Comments

Post a Comment

Popular posts from this blog

How OIDC run on top of OAuth - Demo by a maven web application

As I said in the previous blog about OIDC, OIDC is running on top of OAuth in-order to provide authentication and authorization. When it comes to real scenario, we have need to clearly understand the flows between authorization server, and resource server. For OAuth it needs token introspection endpoint in-order to validate the token. But, in OIDC it doesn't need to have this introspection endpoint because OIDC response token (JWT) it contains the idtoken which contains information about the token to validate by the resource server. OIDC is running as authorization grant type is pretty much safe way for the web applications. Let's see how a real world application using this OIDC on top of OAuth. Note: I have created an sample application to provide the graphical interface for this explanation. When you are trying to login a online web application account you may see another login options also available. For example, login with Google, login with Facebook,etc. Those ...
Post a Comment
Read more

Bandit Wargame – Documentation

Basically wargames are providing the basic knowledge on the security concepts. It is a game that contain many tricks to break the borders to gain the access especially passwords (commands are mostly on the Linux CLI). You can find many wargames through the Internet and they are very interest and fun full too. “Bandit” is also a wargame which is for the beginners. You all can access that through the link given bellow. And this article is an document for this game. I have used Ubuntu as the operating system. Bandit – Clickhere . Level 0: Case study → Clickhere Here we have need to connect the host through the SSH (secure socket shell) server. The informations are provided as follows. Host name: bandit.labs.overthewire.org Port No: 2220 User name: bandit0 Password: bandti0 There are many ways to connect through the SSH server. Method 1: Download and run the “PuTTY SSH client”. ( https://the.earth.li/~...
Post a Comment
Read more

'OpenID Connect' Client App Creation on Auth0

If we are going to use OIDC (OpenID Connect), we have need to know the definitions of OAuth and OIDC. Because OAuth is for authorization and OIDC is on top of OAuth to provide authentication. So, OIDC is providing authorization and authentication.   What is OAuth? The OAuth 2.0 authorization framework enables third-party applications to obtain limited access to a web service. [To see more on OAuth itwithcs.blogspot.com: Click here ] What is OpenID Connect? OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. It uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the OAuth 2.0 specifications. What are Identity Servers? Identity server are the core part of any identity and access control i...
Post a Comment
Read more