In the link below is explained how to generate JWT token with header and payload to access the Apple API
However I don't see how to combine header and payload.
Can someone make an example in ruby
https://developer.apple.com/documentation/appstoreserverapi/generating_tokens_for_api_requests
Just use the jwt gem. It's a well-maintained library with regular updates. It's probably possible to do it without a gem too, but anything having to do with security should be air-tight in production, so I would just go with the gem.
Look for the correct encryption algorithm (Apple seems to be using ES256) and find it in the documentation to see an example of how to create a token with that.
The format for creating a basic JWT token with the gem (custom header fields are optional) is this:
JWT.encode your_payload, your_private_key, encryption_algorithm, custom_header_fields
Related
I want to read data from an API which requires authorization with openid-connect. My client should be written in ruby, so I can use it in a task to import data into my rails app.
I am given a configuration under theapi/.well-known/openid-configuration along with a client_id and a client_secret.
Having never worked with openid before I did some research an found the following gems that might help to obtain an auth token:
https://github.com/nov/openid_connect
https://github.com/m0n9oose/omniauth_openid_connect
Both gems lack of any documentation or examples to get started, in fact I am not even sure if they are useful for my case.
Also there is a similar SO-post, but it's five years old with zero answers:
Ruby Openid connect library with client consumption example
Could anybody help me out with a simple example on how to authorize against openid_connect in ruby, possibly using one of the mentioned gems?
I had the same issue and found a nice tutorial to solve this challenge FusionAuth
You require these 2 gems in your gemfile:
gem 'jwt' and
gem 'oauth2'
You will also be able to initialize the OAuth Client while replacing actual values of your Identity Server:
#oauth_client = OAuth2::Client.new(Rails.configuration.x.oauth.client_id,
Rails.configuration.x.oauth.client_secret,
authorize_url: '/oauth2/authorize',
site: Rails.configuration.x.oauth.idp_url,
token_url: '/oauth2/token',
redirect_uri: Rails.configuration.x.oauth.redirect_uri)
With the OAuthClient initalised you can be able to perform your desired OAuth Flow.
For Authorization with password_credentials you can use:
response = #oauth_client.client_credentials.get_token
token = response.token
You can find more Authorization Type References here: OAuth2 Docs
These two resources should enable you to complete your integration with any IdentityServer. Hope these resources stay updated.
I'm trying to validate a google jwt I got from the client, but most of the information I can find online is lacking.
For instance, this post on Stack Overflow:
From
https://developers.google.com/accounts/docs/OAuth2Login#validatinganidtoken
the recommended approach:
"we recommend that you retrieve Google’s public keys from
https://www.googleapis.com/oauth2/v1/certs and perform the validation
locally.
Since Google changes its public keys only infrequently (on the order
of once per day), you can cache them and, in the vast majority of
cases, perform local validation much more efficiently than by using
the TokenInfo endpoint. This requires retrieving and parsing
certificates, and making the appropriate crypto calls to check the
signature. Fortunately, there are well-debugged libraries available in
a wide variety of languages to accomplish this."
It isn't clear to me what I'm supposed to do to validate this jwt. Most of the information I can find about how to verify the signature says to use the x5c key from jwks, but Google's page, found through the discovery doc, excludes that key.
Validation of JWT is covered in the spec (RFC 7519, section 7.2). One of the steps is validation of a signature, it's covered in JSON Web Signature (JWS) spec (RFC 7515, section 5.2). Specifications are the law but to apply the law you should understand how most applications do it or should do it. That is covered in JWT - Best Current Practices (JWT BCP; draft 06)
You can read all of that and try to implement it on your own or you can use one of the client libraries Google provides for you where all of this is, well, also done for you.
I am trying to connect React app and Rails app using Auth0. It used to be super simple since tokens were signed with HS256. But since auth.js v8 jwt tokens signed with RS256. I don't have problems with frontend but can't make RoR (I use Knock) work with new signing algorithm. I've added
config.token_signature_algorithm = 'RS256'
and
config.token_public_key = key.public_key
into Knock initializer but still no luck.
Key seems to be correct, at least it works in jwt.io or pure ruby-jwt (at least I was able to read information from token).
I am no expert working with asymmetric algorithms so any help would be appreciated. What I am trying to do right now is to get "access_token" from frontend and to send it in "authorization" header to the backend. I know I need to add "Bearer" into header but is there is any other operation I need to do with token first?
Best, Iurii
Just in case anyone interested here is short discussion on GitHub here is a link
I am trying to build a service that authenticates users using an oauth 1 signed request. The request includes an oauth token, signature, nonce, and consumer key. The server has access to the corresponding secrets, but it is unclear how to use the oauth gem to validate the token and retrieve the corresponding user. The token was originally generated using the oauth-rails plugin, but the validation needs to take place on a different server from the original rails application (but has access to the same underlying database).
How can I use the oauth gem to accomplish this?
I have looked through the source for the oauth and oauth-plugin gems, but I can't tell where this validation actually happens. Almost all of the documentation I can find refers to using the oauth gem as a consumer, not a provider.
I finally figured out the answer to this, so I'll put it here in the hopes of helping someone in the future.
Once you've retrieved the AccessToken and ClientApplication objects from the underlying database and checked the nonce and timestamp, verifying the signature is as easy as:
signature = OAuth::Signature.verify(request, {}) do |sigblock|
[token.secret, ca.secret]
end
If the signature checks out, signature will be true. Beware - if you're behind an http proxy such as nginx, the SERVER_PORT environment variable may not be correctly set for https requests and you may have to set it manually. If this (or any other seemingly tiny part of the request) is off, it can cause the signature verification to fail even if the request is valid.
I generated my OAuth signature using twitter's own tool at https://dev.twitter.com/docs/api/1/post/statuses/update How do I use the "signature base string" and "authorization header" with CFHTTP to post a new status on my own twitter account. I'm not trying to access anyone else's account, just need to be able to post status updates to my own account. Your help is really appreciated.
Don't bother writing it yourself, use this: http://monkehtweet.riaforge.org/ its great I have used it many times for twitter integration.
If you want to write it yourself, you'll have to follow the instructions documented on https://dev.twitter.com/docs.
A signature is a serialization and encoding of all your request values in combination with a signing key. It's all very well documented at https://dev.twitter.com/docs/auth/creating-signature
You'll need the hmac-sha1 encoding to create a valid signature. If you're not using coldfusion 10, you'll need something like this: HMAC SHA1 ColdFusion