I have a situation where I can find out the Client_id and Client_secret from the Principle/ Basic Auth coming inside the request with the below snippet.
if(authorization!=null && !authorization.isEmpty()) {
String base64Credentials = authorization.substring("Basic".length()).trim();
byte[] credDecoded = Base64.getDecoder().decode(base64Credentials);
String credentials = new String(credDecoded, StandardCharsets.UTF_8);
String[] values = credentials.split(":", 2);
client_id=values[0];client_secret=values[1];
}
Can I provide the client_id and client_secret other than the basic auth format?
I saw we have password encoder to set as plain password encoder or bcrypt encoder to verify if the provided one and the one stored in DB are a match. But i don't see a method/ attribute so that I can control the input from a request.
Related
I need to extract the expiry date of firebase tokens. How can I extract the "exp" from the token in java?
I tried to use code from https://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens using com.nimbusds:nimbus-jose-jwt:9.23 but it fails:
String accessToken = "...";
// Create a JWT processor for the access tokens
ConfigurableJWTProcessor<SecurityContext> jwtProcessor =
new DefaultJWTProcessor<>();
// Set the required "typ" header "at+jwt" for access tokens issued by the
// Connect2id server, may not be set by other servers
jwtProcessor.setJWSTypeVerifier(
new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("at+jwt")));
// The public RSA keys to validate the signatures will be sourced from the
// OAuth 2.0 server's JWK set, published at a well-known URL. The RemoteJWKSet
// object caches the retrieved keys to speed up subsequent look-ups and can
// also handle key-rollover
// I changed it to what I think should work for firebase, but it doesn't seem to matter what I put here:
JWKSource<SecurityContext> keySource =
new RemoteJWKSet<>(new URL("https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken#system.gserviceaccount.com"));
// The expected JWS algorithm of the access tokens (agreed out-of-band)
JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;
// Configure the JWT processor with a key selector to feed matching public
// RSA keys sourced from the JWK set URL
JWSKeySelector<SecurityContext> keySelector =
new JWSVerificationKeySelector<>(expectedJWSAlg, keySource);
jwtProcessor.setJWSKeySelector(keySelector);
// Set the required JWT claims for access tokens issued by the Connect2id
// server, may differ with other servers
jwtProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier(
null,
new HashSet<>(Arrays.asList("exp"))));
// Process the token
SecurityContext ctx = null; // optional context parameter, not required here
JWTClaimsSet claimsSet = jwtProcessor.process(accessToken, ctx);
// Print out the token claims set
System.out.println(claimsSet.toJSONObject());
I get this error:
JOSE header "typ" (type) "JWT" not allowed
com.nimbusds.jose.proc.BadJOSEException: JOSE header "typ" (type) "JWT" not allowed
at com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier.verify(DefaultJOSEObjectTypeVerifier.java:149)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:341)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:303)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:294)
I want to pass a JWT token from a NodeJS service to another service in Java. However, based on the what I've tried, the token is always invalid whenever I try to verify it on the Java side. I do understand the JWT is platform-independent but I'm not able to figure out why is the token not able to get verified on the Java side.
Error: io.jsonwebtoken.security.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted
NodeJS signing the token (using express-jwt library)
const jwtPayload = { id: "admin" };
const secret = " ... some secret ...";
const jwtData = { expiresIn: 2h };
const access_token = jwt.sign(jwtPayload, secret, jwtData);
Java verifying the token (using io.jsonwebtoken)
String secret = "...same as on the nodejs side"
String accessToken = " .. access_token from nodejs .. "
String username = Jwts.parserBuilder().setSigningKey(secret).build().parseClaimsJws(accessToken).getBody().getSubject();
I have not set any additional options either on the NodeJS side or the Java side. Am I missing some configuration on either of the platforms? Or should I be using a different library?
In my case, solved like this:
GENERATE JWT IN EXPRESS:
jwt.sign({ issuer: new Date(), roles, exp: Math.floor(Date.now() / 1000) + (43200) }, SECRET, {
algorithm: 'HS256',
subject: username,
jwtid: jwtId,
}, (err, token) => {
if (err) {
logger.error(util.inspect(err));
}
resolve({ token, jwtId });
});
IN JAVA I READ USING "SECRET".getBytes("UTF-8"):
Claims claims = Jwts.parser().setSigningKey("SECRET".getBytes("UTF-8")).parseClaimsJws(token).getBody();
request.setAttribute("claims", claims);
I think the issue is the string secret. By calling getBytes("UTF-8") on your secret and providing signWith() with the byte[], everything will work out.
String username = Jwts.parser()
.setSigningKey(secret.getBytes("UTF-8"))
.parseClaimsJws(accessToken)
.getBody()
.getSubject();
(Also need to catch the UnsupportedEncodingException!)
So basically I need to use embedded signing feature to get the URL and embed into my application, and then my customer can sign the document from my side. Apart from that, after my customer signed on the doc, he needs to ask his debtor to sign on the same doc as well.
So on DocuSign UI, I found that I can set a signing order, which means the second recipient receives the email right after the first recipient signed (perfect match my requirement).
setting on UI
However, the second recipient can not receive the email after the first signer signed even though on UI it says sent.
public Envelope embeddedSigning(Long debtorId, String signerEmail, String signerName, String templateId) throws ApiException, IOException {
// create an envelop
EnvelopeDefinition envelope = makeEnvelope(debtorId, signerEmail, signerName, templateId);
ApiClient apiClient = baseRestApiClient();
apiClient.addDefaultHeader("Authorization", "Bearer " + getToken());
EnvelopesApi envelopesApi = new EnvelopesApi(apiClient);
EnvelopeSummary summary = envelopesApi.createEnvelope(accountId, envelope);
RecipientViewRequest viewRequest = makeRecipientViewRequest(debtorId, signerEmail, signerName);
ViewUrl viewUrl = envelopesApi.createRecipientView(accountId, summary.getEnvelopeId(), viewRequest);
// #formatter:off
return Envelope.builder()
.envelopId(summary.getEnvelopeId())
.redirectUrl(viewUrl.getUrl()).build();
// #formatter:on
}
private EnvelopeDefinition makeEnvelope(Long debtorId, String signerEmail, String signerName, String templateId) throws IOException {
EnvelopeDefinition envelopeDefinition = new EnvelopeDefinition();
envelopeDefinition.setEmailSubject("Please sign this document");
envelopeDefinition.setTemplateId(templateId);
TemplateRole signer = new TemplateRole();
signer.setEmail(signerEmail);
signer.setName(signerName);
signer.clientUserId(String.valueOf(debtorId));
signer.setRoleName("signer0");
signer.setRoutingOrder("1");
TemplateRole signer1 = new TemplateRole();
signer1.setEmail("xxx");
signer1.setName("xxx");
signer1.clientUserId(String.valueOf(xxx));
signer1.setRoleName("signer1");
signer1.setRoutingOrder("2");
envelopeDefinition.setTemplateRoles(Arrays.asList(signer, signer1));
envelopeDefinition.setStatus("sent");
return envelopeDefinition;
}
You are setting signer1.clientUserId(String.valueOf(xxx)); which means you are making signer an embedded signer. By Default, DocuSign does not send email to the embedded signer. By making a signer as embedded signer, you are telling DocuSign that calling App will take care of deciding when to host signing ceremony for this signer so DocuSign will not send an email as they will not be doing signing from the email, instead it be your App which will be generating Signing URL when that signer is on your App. So if you remove signer1.clientUserId(String.valueOf(xxx)); code then you will see that signer1 will get an email from DocuSign.
Docs has more details about embedded signing.
Typically routing order starts at 1. so it should be 1 and 2, not 0 and 1.
Apart from that, "Sent" is the status for the entire envelope. The envelope goes to routing order 1 first. Then, when all recipients of routing order 1 finished signing, it goes to 2 etc. I'm not sure if you actually have an issue here, but please confirm after you changed to 1 and 2 what exactly do you see that you don't expect.
I am working on "Forgot Password". I am trying to create a reset token with email + current_time. email is user login whilst code will check if time >= 5 minutes then this link will not work. Here is my code:
// preparing token email + time
Date now = new Date();
String prepareToken = "?email="+email+"&tokenTime="+now.getTime();
// encrypt prepareToken value
Encryptor enc = new Encryptor();
resetToken = enc.encrypt(resetToken);
The token will be sent as for example as http://domainname.com/ForgotPassword?resetToken=adj23498ljj238809802340823
Problem:
When user click it then I got as request parameter and obviously decrypt this parameter but how can I get email in one String + time as another String
Please advise
If your issue is simply parsing the decoded String to get some sort of Map of your parameters, I'd suggest you to read Parse a URI String into Name-Value Collection .
Hope it helps.
EDIT :
Assuming you have the splitQuery(URL url) method from the previous link and that you successfully decoded the token :
public String getEmailFromToken(String decodedToken) {
// if you decoded your token it will looks like the prepareToken String
String stubUrl = "http://localhost"+decodedToken;
Map<String,String> map = splitQuery(new URL(stubUrl));
return map.get("timeToken");
}
I created a properly formed URL to respect the URL syntax.
With little tweak, you should be able to implement splitQuery for a String. I hope you can manage that.
This question already has answers here:
JWT (JSON Web Token) library for Java [closed]
(9 answers)
Closed 3 years ago.
I have to create my token with JWT but I don't know to do it.
You have to use a library for that.
I personally use nimbus-jose-jwt.
This is an example from their page using HS256 for sign the JWT:
// Generate random 256-bit (32-byte) shared secret
SecureRandom random = new SecureRandom();
byte[] sharedSecret = new byte[32];
random.nextBytes(sharedSecret);
// Create HMAC signer
JWSSigner signer = new MACSigner(sharedSecret);
// Prepare JWT with claims set
JWTClaimsSet claimsSet = new JWTClaimsSet();
claimsSet.setSubject("alice");
claimsSet.setIssuer("https://c2id.com");
claimsSet.setExpirationTime(new Date(new Date().getTime() + 60 * 1000));
SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), claimsSet);
// Apply the HMAC protection
signedJWT.sign(signer);
// Serialize to compact form, produces something like
// eyJhbGciOiJIUzI1NiJ9.SGVsbG8sIHdvcmxkIQ.onO9Ihudz3WkiauDO2Uhyuz0Y18UASXlSc1eS0NkWyA
String s = signedJWT.serialize();
You can also use jose4j.
An example from their page using RSA for sign the JWT (public + secret key):
// Generate an RSA key pair, which will be used for signing and verification of the JWT, wrapped in a JWK
RsaJsonWebKey rsaJsonWebKey = RsaJwkGenerator.generateJwk(2048);
// Give the JWK a Key ID (kid), which is just the polite thing to do
rsaJsonWebKey.setKeyId("k1");
// Create the Claims, which will be the content of the JWT
JwtClaims claims = new JwtClaims();
claims.setIssuer("Issuer"); // who creates the token and signs it
claims.setAudience("Audience"); // to whom the token is intended to be sent
claims.setExpirationTimeMinutesInTheFuture(10); // time when the token will expire (10 minutes from now)
claims.setGeneratedJwtId(); // a unique identifier for the token
claims.setIssuedAtToNow(); // when the token was issued/created (now)
claims.setNotBeforeMinutesInThePast(2); // time before which the token is not yet valid (2 minutes ago)
claims.setSubject("subject"); // the subject/principal is whom the token is about
claims.setClaim("email","mail#example.com"); // additional claims/attributes about the subject can be added
List<String> groups = Arrays.asList("group-one", "other-group", "group-three");
claims.setStringListClaim("groups", groups); // multi-valued claims work too and will end up as a JSON array
// A JWT is a JWS and/or a JWE with JSON claims as the payload.
// In this example it is a JWS so we create a JsonWebSignature object.
JsonWebSignature jws = new JsonWebSignature();
// The payload of the JWS is JSON content of the JWT Claims
jws.setPayload(claims.toJson());
// The JWT is signed using the private key
jws.setKey(rsaJsonWebKey.getPrivateKey());
// Set the Key ID (kid) header because it's just the polite thing to do.
// We only have one key in this example but a using a Key ID helps
// facilitate a smooth key rollover process
jws.setKeyIdHeaderValue(rsaJsonWebKey.getKeyId());
// Set the signature algorithm on the JWT/JWS that will integrity protect the claims
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
// Sign the JWS and produce the compact serialization or the complete JWT/JWS
// representation, which is a string consisting of three dot ('.') separated
// base64url-encoded parts in the form Header.Payload.Signature
// If you wanted to encrypt it, you can simply set this jwt as the payload
// of a JsonWebEncryption object and set the cty (Content Type) header to "jwt".
String jwt = jws.getCompactSerialization();
In the question that Erik Gillespie indicates are more options.
The jwt.io page allows you to paste the generated token and see his payload. Also, if you put your secret key it would say if the integrity of the token.
Try using solution mentioned in below url:
https://dev.to/keysh/spring-security-with-jwt-3j76
You can use following method:
public String jwtToken(String name) {
long nowMillis = System.currentTimeMillis();
Date now = new Date(nowMillis);
Date expireDate = new Date(nowMillis);
Key key = MacProvider.generateKey();
String compactJws = Jwts.builder()
.setSubject(name)
.setAudience("users")
.setIssuedAt(now)
.setExpiration(expireDate)
.signWith(SignatureAlgorithm.HS512, key)
.signWith(S)
.compact();
return compactJws;
}