Replies: 1 comment
-
Any ideas? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Thank you for your library!
I must have something wrong or am missing something and need advice.
We host for various companies that use different identity providers and I wish to verify the signature of the received tokens. What I have put together verifies the signature, but if I replace the payload from a different provider, it still verifies. Is a new signature created using the header and payload, therefore verification will always pass?
procedure Tfrm_Main.btnAccessIDClick(Sender: TObject);
var LRes: TStringDynArray;
LToken: TJWT;
LSigner: TJWS;
LKeyPair: TKeyPair;
sToken,sHeader,sPayload,sSignature,sAlg: String;
begin
sToken := RESTResponse.JSONValue.FindValue('access_token').Format();
LRes := SplitString(sToken,'.');
if (Length(LRes) = 3) then begin
sHeader := TBase64.Decode(LRes[0]);
sPayload := TBase64.Decode(LRes[1]);
sSignature := LRes[2];
end;
try
LToken := TJWT.Create(TJWTClaims);
LToken.Header.JSON.Free;
LToken.Header.JSON := TJSONObject(TJSONObject.ParseJSONValue(sHeader));
...
if (FAlg.AsString = 'RS256') then FCompact := TJOSE.SerializeCompact(LKeyPair.PrivateKey.Key, FAlg, LToken);
...
if (TJWS.CheckCompactToken(FCompact)) then begin
LSigner.CompactToken := FCompact;
if (LSigner.VerifySignature AND LToken.Verified AND (LToken.Claims.Expiration > Now)) then begin
memo_Verify.Lines.Add('Token signature is verified');
end
else begin
if NOT (LSigner.VerifySignature) then memo_Verify.Lines.Add('Token signature is not verified (LSigner)');
if NOT (LToken.Verified) then memo_Verify.Lines.Add('Token is not verified (LToken)');
if (LToken.Claims.Expiration < Now) then memo_Verify.Lines.Add('Token expired (LToken.Claims)');
end;
end;
finally
LSigner.Free;
LKeyPair.Free;
end;
finally
LToken.Free;
end;
LSigner.VerifySignature and LToken.Verified always passes
I have been using an RSA pub/priv pem I created. Do I need the clients pems? Is there a setting to prevent regeneration of the signature and use the sig as is?
I also have a .NET version which uses the kid value in the header paring with values in the jwks_uri to verify signature, is that option available with this library?
Beta Was this translation helpful? Give feedback.
All reactions