Hi guys I need your help figuring out what I do wrong when trying to obtain an access token from Google OAuth API. In the Google OAuth documentation we read: A JWT is composed of three parts: a header, a claim set, and a signature. The header and claim set are JSON objects. These JSON objects are serialized to UTF-8 bytes, then encoded using the Base64url encoding. This encoding provides resilience against encoding changes due to repeated encoding operations. The header, claim set, and signature are concatenated together with a period (.) character. A JWT is composed as follows: {Base64url encoded header}.{Base64url encoded claim set}.{Base64url encoded signature} What I do is: 1 - I don't understand how to integrate the JWT header when using the JWT module 2 - Specify the claimset like described in the JWT module see here 3 - Turn the private key in p12 format by: A) openssl pkcs12 -in file.p12 -out file.pem (entered password,passphrase 2x) B) openssl x509 -outform der -in hulq.pem -out hulq.der C) upload in the app as the one and only JWTRSAPrivateKey 4- Generate the JWT with the JWT module, by passing in the JWT object, ClientSecret, HS256, PrivateKey of 3. 4) - Call REST POST by Custom header: Content-Type 'application/x-www-form-urlencoded' Custom request template: 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion='+$JWT See MF: https://modelshare.mendix.com/models/127065fc-0f1b-434f-adda-dc92e9fa7d39/create-jwt Result: 1) Request is not accepted, with reason: JWT is invalid. Questions: 1) How can I add the JWT header to the JWT when using JWT module? 2) Is the p12 key created right, because I do get error of : Caused by: com.mendix.core.CoreRuntimeException: com.mendix.systemwideinterfaces.MendixRuntimeException: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : DER input, Integer tag error 3) Any other remarks regarding the implementation?
asked
Rapido
3 answers
0
In the first place, I would rather advice to use the Google Java APIs to connect to their services. Makes your life very easy! Or for simple Single Sign On , use the Open Authentication Module.
For your certificate issue, if you can create a temporary private key for me to test, I can have a look. Or send me the key by email to menno.dehaas@webflight.nl and use my public PGP key to encrypt.
answered
Menno de Haas
0
Enzo, I'm working on this one again. Now I need work with Google Service accounts. I found out I implemented the PKCS8 key specification for the RSA Private Keys. However, for JWT RSA256 the older PKCS1 key specification is used. The PKCS1 key spec is not implemented in the Java security packages, so I will use BouncyCastle to implement this. I hope I can release a new version today.
answered
Menno de Haas
0
Just published a new release for the JWT module that supports the PKCS1 key spec. Also included a PEM to DER conversion action. Tested it using a Google Service Account private key (PEM format) and token was generated properly. Download version 1.4 at https://appstore.home.mendix.com/link/app/106447/WebFlight/JWT