I'm trying to adapt this example to use with GAE: https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples
Above example requires a private key (secret) to sign JWT header + payload. AppIdentityService provides a way to sign arbitrary bytes but it does not explain how to verify the signature using PublicCertificate.
I need help to identify 2 things-
How to store and manage secret key in Google App Engine?
How to verify signature using AppIdentityService?
A reference to some working example which uses JWT with GAE would be very helpful.
An adaptation of the example at https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples that should work, if GAE signs using RSASSA-PKCS1-v1_5 using SHA-256, is in the first comment of https://bitbucket.org/b_c/jose4j/issues/33/using-jwt-with-google-app-engine
Related
i am studyingh about google oauth and was implementing it and now i got the id token from google and idk how can i verify the signature of the jwt(id_token) using java. Is theree a way to verify the signature without using the google libraries?
I'm stuck trying to call Google DecodeIntegrityToken API from my Android APP. There is no documentation or examples on how to do it.
I have completed the setup and managed to get an IntegrityToken up to this point.
The setup: https://developer.android.com/google/play/integrity/verdict
Here I found calling the API in LARAVEL: Decode integrity token using Google PlayIntegrity API
and this one in .NET: How to get a decoded Play Integrity API token using the Google Client API for .NET
But how can I call it from Java? There is no information. I can't find a way to call the API to decode the Integrity Token.
The response you can decode using Java based hosted service. The integrity token can be sent to the Google server from hosted service and you can verify the response received from google. Enable PlayIntegrity API in Google Cloud Platform against the app and download the JSON file and configure the code. Similarly, you should enable PlayIntegrity in Google PlayConsole
Please check my answer
For those who are looking for the node.js solution check my answer here
Decode integrity token using Google PlayIntegrity API
I'm using AWS signV4 to sign requests for calling AWS API Gateway.
Using Requests with headers are not suited for my use case hence the initiative to work with signed urls and query strings.
I had used AWS Sample Python sample that works great for IAM user creation.
the same Access Key and Secret are used in both cases (IAM Creation , API Gateway call) so its definitely not an issue of wrong access key / secret.
The main issue i see is that the signature i get is different than the one the API Gateway thinks i should send.
I've added all the documented query string but still get the below error.
What am i missing here?
Here is the request URL:
https://*******.execute-api.us-east-1.amazonaws.com/******?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=**********%2F20170424%2Fus-east-1%2Fexecute-api%2Faws4_request&X-Amz-Date=20170424T124521Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host&X-Amz-Signature=**********821742cee7661ef3a0ab1e5c
While using it with the execute-api service i had received the following error :
{
"message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'GET\n/*******\nX-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=*********%2F20170424%2Fus-east-1%2Fexecute-api%2Faws4_request&X-Amz-Date=20170424T124521Z&X-Amz-Expires=60&X-Amz-SignedHeaders=host\nhost:*******.execute-api.us-east-1.amazonaws.com\n\nhost\n*********'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\n20170424T124521Z\n20170424/us-east-1/execute-api/aws4_request\n**********'\n"
}
I've Checked also the java implementation using the samples from : AWS Signer Java
but the results were the same.
SigV4 signing and this error message isn't anything specific to API Gateway itself. The signing algorithm and the verification at the AWS end is common for all AWS services.
Can you compare the canonical string that is in the error message and the one that you are generating while sending the request? That should help you identify the issue.
Also, go through the step-by-step explanation to see if you are doing everything right. One of the common issues is case-sensitivity of header names and the sorting order of parameters.
I am in process of creating an SAML 2.0 response from IDP to SP. What I need is to get the values of the SAML 2.0 attributes from the certificate I got. Following are the SAML 2.0 attributes:
`<ds:SignatureValue> value from certificate </ds:SignatureValue>
<ds:DigestValue> value from certificate </ds:DigestValue>
`
And also can anybody guide me that what exactly are the steps I need to perform on SP side to successfully validate the generated SignatureValue form the given certificate.
Thanks!
There is an Oracle tutorial for how to validate XML digital signatures using the java.xml.crypto.dsig APIs:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html
Unfortunately I did not have an easy time actually locating the code samples to download. I did find one bit of the sample validation code here.
Another good article is here.
At some point you'll need to obtain your SP's public key from the certificate and provide it to your validation code - that's covered in the tutorial under using KeySelectors section. You can use the keytool command to extract from the certificate and add it to a keystore. Sometimes this comes from key/certificate exchange offline; sometimes the key itself comes within the SAML document as X.509 data within<KeyInfo>.
I'm trying to write a java code to authenticate the graph API by the Azure Access Control Service (ACS) using OAuth 2.0.
Based on what I've read, They are four steps to this
Generate an assertion which includes the Service Principal’s X.509 Certificate (alternatively, a symmetric key can also be used).
Present the assertion to the Azure ACS Security Token Service (STS).
ACS accepts the assertion and authenticates the Service Principal, returning a minted OAuth access token (i.e. JWT token).
Subsequent API call submissions include the access token.
Can anyone tell me, where do I begin this from? For example, where can I find the java api, how do I generate a symmetric key or an assertion with X.509 cert. I want to create an java app which will create users in the office 365 and authenticating is the initial step. Thanks for the help
I think you would need to start from here:
How to Authenticate Web Users with Windows Azure Access Control Service Using Eclipse - This example uses Windows Live ID for the identity provider, a similar technique could be used for other identity providers as applicable.
Once you have your Java based code is authenticating users successfully you can go ahead and implement further to connect with other providers.