#1 2017-01-03 23:06:05

Leslie7
Member
Registered: 2015-06-25
Posts: 248

JWT standard

Hi ab,

If my understanding is right, the current implementation of ComputeSignature does not work according the standard. It should be something like this:

var     signature : TSHA256Digest;
begin
...
  //result := fHeaderB64+payload+'.'+ComputeSignature(payload); << current code
   HMAC_SHA256( Private_key  , fHeaderB64+payload,signature );
   result := fHeaderB64+payload+'.'+ BinToBase64URI(@signature , SizeOf(signature ));

Not not to break current codes it could support both ways.
Private_key does not seem to be available at this point.

Offline

#2 2017-01-03 23:15:41

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,668
Website

Re: JWT standard

Our code does fit with jwt.io expectations.
(see the regression tests)

The private key is supplied at constructor class level, depending on the algorithm.
Please check the doc...

Online

#3 2017-01-04 06:23:33

Leslie7
Member
Registered: 2015-06-25
Posts: 248

Re: JWT standard

ab,

The result of my hacked  code  and the result of the original code is  different. The result of the modified code is accepted by the 3rd party server. I think it is worth checking. smile

"The private key is supplied at constructor class level"
I saw this in the code, it is  used to calculate a the 1st part of the token (header) but it does not seem to be stored for later use.

Last edited by Leslie7 (2017-01-04 07:40:10)

Offline

#4 2017-01-04 07:52:55

Leslie7
Member
Registered: 2015-06-25
Posts: 248

Re: JWT standard

I think I  can understand your code somewhat better now: THMAC_SHA256 is created with the private key and it can be updated later without resupplying the key.

Offline

#5 2017-01-04 08:25:23

Leslie7
Member
Registered: 2015-06-25
Posts: 248

Re: JWT standard

By looking deeper into your code I have realized that there is nothing wrong with it and gave me  the idea to solve my problem.  It works perfectly with the 3rdParty server if TJWTHS256 is created with the right parameters. I have based my code on this line  from the documentation, where the second parameter is 10:

j := TJWTHS256.Create('sec',10,[jrcIssuer,jrcExpirationTime,jrcIssuedAt,jrcJWTID],[],60);

Changing the second parameter to 0 is all it took to get it working. smile

Last edited by Leslie7 (2017-01-04 08:58:47)

Offline

#6 2017-01-04 09:14:06

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,668
Website

Re: JWT standard

Just as explained in the docs.

Online

Board footer

Powered by FluxBB