11.6
I am receiving an JWT token and wonder if there is a simple way of reading the info? I have checked it with jwt.io and can see the data I would like to read. Is there a way of read header and payload with progress? I am TOTALLY new to this security consept, and reading to understand.
I once came across that there are different implementations of b64-encode, with different numbers of "=" at the and.
So if you add one or two "=" to your string it will work.
Furthermore this seems to be B64URL encoded and not B64. So you will have to replace "-" with "+" and "_" with "/" before Decoding with B64-DECODE.
No, Progress doesn't provide any such tool to extract header and payload information from a JWT token.
Actually, it's easy to extract the data using progress. **
Basically a JWT is just a string with the following format:
header.payload.signature
where header, payload and signature are base64 encoded strings
when decoded, header and payload are stringified json objects
you must remember that a JWT is only encoded and signed - the contents are *not* encrypted
** never having done this, take my comment with a pinch of salt ;)
I have tried to use base64-encode on both header and payload, without luck :-/ so I believe it is because token has been webified, so how to unwebify it and read it is my question. Is there other tools I can use? What about Auth0 ?
do you mean base64-decode ?
base64 is a standard for transmitting the data across - if you've got a valid jwt then it should be .. valid .. ;) No such thing as a "webified" base64 string.
could you post the jwt that you have received in openedge ?
I ment base64-decode :-) sorry
I'm sure the token is valid. The jwt string you get in openedge is header.payload.signature so did you base64-decode(entry(2,jwt,".") ?
Correct,
This is the header....
eyJraWQiOiJtcVQ1QTNMT1NJSGJwS3JzY2IzRUhHcnItV0lGUmZMZGFxWl81SjlHUjlzIiwiYWxnIjoiUlMyNTYifQ
an online base64 decode gives
{"kid":"mqT5A3LOSIHbpKrscb3EHGrr-WIFRfLdaqZ_5J9GR9s","alg":"RS256"}
so not sure why the OE version would not work. Is your longchar coded to UTF-8 ?
def var mPnt as Memptr no-undo.
def var lcTest as longchar no-undo.
fix-codepage(lcTest) = 'utf-8'.
lcTest = "eyJraWQiOiJtcVQ1QTNMT1NJSGJwS3JzY2IzRUhHcnItV0lGUmZMZGFxWl81SjlHUjlzIiwiYWxnIjoiUlMyNTYifQ".
mPnt = base64-decode(lcTest).
CATCH eAny AS Progress.Lang.Error :
MESSAGE eAny:GetMessage(1)
VIEW-AS ALERT-BOX.
END CATCH.
Gives me an error....:
Error converting Base64 to RAW (12119)
Even if you get the ABL to decode this, you won’t have verified it so how can you trust the payload isn’t forged?
I once came across that there are different implementations of b64-encode, with different numbers of "=" at the and.
So if you add one or two "=" to your string it will work.
Furthermore this seems to be B64URL encoded and not B64. So you will have to replace "-" with "+" and "_" with "/" before Decoding with B64-DECODE.
You are so correct :-) that did it. It was lack of == at the end. I will also check regarding URL encoding.
Here is some sample code that will read a token using the Chilkat .NET control and return a JSONObject with the payload and header. Stuff it inside a class method or a called procedure.
DEFINE INPUT PARAMETER ipToken AS CHARACTER NO-UNDO. DEFINE VARIABLE ckGlobal AS Chilkat.Global NO-UNDO. DEFINE VARIABLE publicKey AS Chilkat.PublicKey NO-UNDO. DEFINE VARIABLE jwt AS Chilkat.Jwt NO-UNDO. DEFINE VARIABLE cTokenPayload AS CHARACTER NO-UNDO. DEFINE VARIABLE cTokenHeader AS CHARACTER NO-UNDO. DEFINE VARIABLE oJSONParser AS ObjectModelParser NO-UNDO. DEFINE VARIABLE tokenPayload AS JsonObject NO-UNDO. DEFINE VARIABLE tokenHeader AS JsonObject NO-UNDO. DEFINE VARIABLE tokenObject AS JsonObject NO-UNDO. // Authorize Chilkat Bundle ckGlobal = NEW Chilkat.Global(). ckGlobal:UnlockBundle('MyChilkatAuthCode'). IF NOT ckGlobal:LastMethodSuccess THEN UNDO, THROW NEW PROGRESS.Lang.AppError(ckGlobal:LastErrorText). // Load the Public Key to verify the token publicKey = NEW Chilkat.PublicKey(). publicKey:LoadFromFile("PublicKey.pem"). IF NOT publicKey:LastMethodSuccess THEN UNDO, THROW NEW PROGRESS.Lang.AppError("Invalid Public Key: " + publicKey:LastErrorText,500). // Get a JWT instance jwt = NEW Chilkat.Jwt(). IF NOT jwt:LastMethodSuccess THEN UNDO, THROW NEW PROGRESS.Lang.AppError("Invalid Token: " + jwt:LastErrorText,500). ASSIGN cTokenPayload = jwt:GetPayload(ipToken) cTokenHeader = jwt:GetHeader(ipToken). oJSONParser = NEW ObjectModelParser(). tokenPayload = CAST(oJSONParser:Parse(cTokenPayload),JsonObject). tokenHeader = CAST(oJSONParser:Parse(cTokenHeader),JsonObject). tokenObject = NEW JsonObject(). tokenObject:Add("header",tokenHeader). tokenObject:Add("payload",tokenPayload). RETURN tokenObject. CATCH e AS Progress.Lang.Error : UNDO, THROW e. END CATCH.
We tried the same, with plain progress first and hit that Base64 issue, then had to deal with certificates so settled on the System.IdentityModel.Tokens.Jwt package from Microsoft, though it seems to be in a state of flux and changes from one version to the next. Got the 5.2.2 version working and can now validate an auth0 issued, RS256 signed jwt...
Nice to know :-) was it straight forward using it?
Update from Progress Community
slegian-bva We tried the same, with plain progress first and hit that Base64 issue, then had to deal with certificates so settled on the System.IdentityModel.Tokens.Jwt package from Microsoft, though it seems to be in a state of flux and changes from one version to the next. Got the 5.2.2 version working and can now validate an auth0 issued, RS256 signed jwt...
You received this notification because you subscribed to the forum. To unsubscribe from only this thread, go here.
Flag this post as spam/abuse.
Sort of, once we sorted out the working version and the mechanics. The certificate business made things a bit more complicated.
MS seem to be still working on this, the API changed from 4.xx to 5.xx, the doco was not in sync, the samples were around 4.xx and the certificate business only worked in 5.xx
Free code so can't complain...
It turned out we need 2 assemblies - Microsoft.IdentityModel.Tokens, Version=5.2.2.0 and System.IdentityModel.Tokens.Jwt, Version=5.2.2.0
You then use the System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler:ValidateToken to get a yay/nay and a "Microsoft.IdentityModel.Tokens.SecurityToken" object which you can then cast to System.IdentityModel.Tokens.Jwt.JwtSecurityToken which is a nice JWT representation.
I'll see if I can put up some sample code...
Your the man :-) thanx
Update from Progress Community
slegian-bva Sort of, once we sorted out the working version and the mechanics. The certificate business made things a bit more complicated.
MS seem to be still working on this, the API changed from 4.xx to 5.xx, the doco was not in sync, the samples were around 4.xx and the certificate business only worked in 5.xx
Free code so can't complain...
It turned out we need 2 assemblies - Microsoft.IdentityModel.Tokens, Version=5.2.2.0 and System.IdentityModel.Tokens.Jwt, Version=5.2.2.0
You then use the System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler:ValidateToken to get a yay/nay and a "Microsoft.IdentityModel.Tokens.SecurityToken" object which you can then cast to System.IdentityModel.Tokens.Jwt.JwtSecurityToken which is a nice JWT representation.
I'll see if I can put up some sample code...
You received this notification because you subscribed to the forum. To unsubscribe from only this thread, go here.
Flag this post as spam/abuse.