I've got a jwt base64 encoded payload and a public certificate. I am able to decode the payload in apex but having hard time validating the signature. Its header has the algorithm RS256. How do I do this in APEX?
[SalesForce] JWT verify signature
Related Solutions
You must follow the Following link it will be helpful for you to understand the Signature varification in Salesforce Apex.
For SHA1
you can use the below code snippet:
private String getMac(String RequestString, String secretkey) {
String algorithmName = ‘hmacSHA1′; // the other options are: hmacMD5, hmacSHA256, and hmacSHA512
Blob input = Blob.valueOf(RequestString);
Blob signing =Crypto.generateMac(algorithmName, input, secretkey);
String str=EncodingUtil.urlEncode(EncodingUtil.base64Encode(signing), ‘UTF-8′);
use this str if you want signature in url encode if you want it in base64encode
form only, then use the below code in place of str:
String str=EncodingUtil.base64Encode(signing);
For HMACSHA256
you can use the below code snippet:
string timestamp1 = datetime.now().formatGmt('EEE, d MMM yyyy HH:mm:ss Z');
String action = 'Action';
String algorithmName = 'HMACSHA256';
Blob mac = Crypto.generateMac(algorithmName, Blob.valueOf(timestamp1),
Blob.valueOf(Secretkey));
String macUrl =EncodingUtil.base64Encode(mac);
Use the str/macUrl where you want to use Signature may be it in the header if you use the POST
method.
For Sha-1 signature in APEX You can follow the below three links:
http://www.tgerm.com/2012/07/sha-1-apex-rackspace-salesforce.html AND
http://blog.jeffdouglas.com/2010/07/06/using-rsa-sha1-with-salesforce-crypto-class/
and
http://wiki.developerforce.com/page/Apex_Crypto_Class
I now have this working for the specific case of connecting back to Salesforce from Salesforce. So essentially it is a port of the Java sample code to Apex. So it appears that Apex's RSA-SHA256 is indeed equivalent to Java's SHA256withRSA.
Steps to get this to work were also:
- Create a certificate via Setup -> Security Controls -> Certificate and Key Management -> Create Self-Signed Certificate with a key size of 2048 and use that name in the Apex Crypto.signWithCertificate call.
- Create a connected app via Setup -> Create -> Apps -> Connected Apps -> New. Upload a copy of the cert created in the previous step to that and as a start select all the oauth scopes (you can cut them down later). Also use the "Manage" to add the profile of the User to the connected app.
In terms of using this protocol to connect to other identity providers such as Google, the (draft) spec says that:
Of the JWS signing algorithms, only HMAC SHA-256 and "none" MUST be implemented by conforming JWT implementations. It is RECOMMENDED that implementations also support the RSA SHA-256 and ECDSA P-256 SHA-256 algorithms. Support for other algorithms and key sizes is OPTIONAL.
The Crypto.generateMac method appears to support hmacSHA256 (alg "HS256" in JWT) so that might be the right choice in some cases.
PS
The Apex code is posted here An Apex implementation of the OAuth 2.0 JWT Bearer Token Flow.
Best Answer
As of now the Apex Crypto Class doesn't support the verify method. https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_restful_crypto.htm
And most of the examples found are for CallOuts.