[SalesForce] JWT verify signature

I've got a jwt base64 encoded payload and a public certificate. I am able to decode the payload in apex but having hard time validating the signature. Its header has the algorithm RS256. How do I do this in APEX?

Best Answer

As of now the Apex Crypto Class doesn't support the verify method. https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_restful_crypto.htm

And most of the examples found are for CallOuts.

Related Solutions

[SalesForce] Verifying a signature in Apex

You must follow the Following link it will be helpful for you to understand the Signature varification in Salesforce Apex. For SHA1 you can use the below code snippet:

private String getMac(String RequestString, String secretkey) {
String algorithmName = ‘hmacSHA1′; // the other options are: hmacMD5, hmacSHA256, and hmacSHA512
Blob input = Blob.valueOf(RequestString);
Blob signing =Crypto.generateMac(algorithmName, input, secretkey);
String str=EncodingUtil.urlEncode(EncodingUtil.base64Encode(signing), ‘UTF-8′);

use this str if you want signature in url encode if you want it in base64encode form only, then use the below code in place of str:

String str=EncodingUtil.base64Encode(signing);

For HMACSHA256 you can use the below code snippet:

string timestamp1 = datetime.now().formatGmt('EEE, d MMM yyyy HH:mm:ss Z');
String action = 'Action';
String algorithmName = 'HMACSHA256';
Blob mac = Crypto.generateMac(algorithmName, Blob.valueOf(timestamp1),
Blob.valueOf(Secretkey));
String macUrl =EncodingUtil.base64Encode(mac);

Use the str/macUrl where you want to use Signature may be it in the header if you use the POST method. For Sha-1 signature in APEX You can follow the below three links: http://www.tgerm.com/2012/07/sha-1-apex-rackspace-salesforce.html AND http://blog.jeffdouglas.com/2010/07/06/using-rsa-sha1-with-salesforce-crypto-class/ and http://wiki.developerforce.com/page/Apex_Crypto_Class

[SalesForce] Has anyone got the OAuth 2.0 JWT Bearer Token Flow to work initiated from Apex code now ‘RSA-SHA256’ signing is available

I now have this working for the specific case of connecting back to Salesforce from Salesforce. So essentially it is a port of the Java sample code to Apex. So it appears that Apex's RSA-SHA256 is indeed equivalent to Java's SHA256withRSA.

Steps to get this to work were also:

Create a certificate via Setup -> Security Controls -> Certificate and Key Management -> Create Self-Signed Certificate with a key size of 2048 and use that name in the Apex Crypto.signWithCertificate call.
Create a connected app via Setup -> Create -> Apps -> Connected Apps -> New. Upload a copy of the cert created in the previous step to that and as a start select all the oauth scopes (you can cut them down later). Also use the "Manage" to add the profile of the User to the connected app.

In terms of using this protocol to connect to other identity providers such as Google, the (draft) spec says that:

Of the JWS signing algorithms, only HMAC SHA-256 and "none" MUST be implemented by conforming JWT implementations. It is RECOMMENDED that implementations also support the RSA SHA-256 and ECDSA P-256 SHA-256 algorithms. Support for other algorithms and key sizes is OPTIONAL.

The Crypto.generateMac method appears to support hmacSHA256 (alg "HS256" in JWT) so that might be the right choice in some cases.

The Apex code is posted here An Apex implementation of the OAuth 2.0 JWT Bearer Token Flow.

Best Answer

Related Solutions

[SalesForce] Verifying a signature in Apex

[SalesForce] Has anyone got the OAuth 2.0 JWT Bearer Token Flow to work initiated from Apex code now ‘RSA-SHA256’ signing is available

Related Topic