Subscribe via RSS
Toggle Submenu
  1. Categories
  2. Recent
  3. Tags
View Replies (1)

Resolved JWT - how PS uses it

  1. How-to
0
Votes
Undo
  1. mike S
    mike S
  2. PowerServer
  3. Sunday, 5 November 2023 16:45 PM UTC

I'm looking at building my own JWT auth service so that i can not only validate with my database, but also send back information in addition to the token (the URL of the PS web api , the database to use, etc.)

the PS web api needs to validate the token on each request, and i believe the simplest/fastest way to handle that is to provide it the same JWT secret as my JWT token generation service.  however, i may end up using another service to validate the token since i may end up having several PS web api servers.

has anyone done either of these?  would it make sense to use the native PS jwttoken validation?   the values that PS requires is not mentioned or defined anywhere.  the token generation includes a few things like issuer and Audience, are they actually used by PS?  I also don't see in the PS c# code where the SecurityAlgorithms are setup - HmacSha256Signature ? or 512?

 

the PB GetJWTToken method retrieves the token from the HTTP client.   To use this, what does the GetJWTToken require in terms of the returned format? 

Just {"token":"<token>"} in the body?  is that based on a standard?  or is GetJWTToken built for the PS specific implementation only? 

 

 

PowerServer: Select error: Datawindow not found
HTTPClient VS RestClient for getting JWT
Responses (1)
Logan Liu @Appeon
Logan Liu @Appeon Accepted Answer Pending Moderation
  1. Tuesday, 7 November 2023 07:55 AM UTC
  2. PowerServer
  3. # 1

Hi Mike,

You can edit any authentication code in the PowerServer C# solution (a pure ASP.NET Core Web API). But I think it's better to get the Web API URL or database name using another REST API after authentication.

I can try to answer a few questions:

1) "the values that PS requires is not mentioned or defined anywhere.  the token generation includes a few things like issuer and Audience, are they actually used by PS?"

PowerServer provides several authenticate templates including JWT. If you select Use built-in JWT Server, it will generate C# code in the UserExtensions project - Authentication folder. You can edit any code, including adding your own claims in the token (e.g.: see the Claims in DefaultUserStore.cs).

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. You can see the Issuer and Audience here: RFC 7519 - JSON Web Token (JWT) (ietf.org). A producer and consumer of a JWT MAY agree to use Claim Names that are Private Names: names that are not Registered Claim Names (Section 4.1) or Public Claim Names (Section 4.2).

2) "I also don't see in the PS c# code where the SecurityAlgorithms are setup - HmacSha256Signature ? or 512?"

Open TokenHandler.cs, then you can see the following code in CreateToken method:

// Loads the token key
var securityKey = _configuration["JwtSetting:SecurityKey"];
var symmetricKey = new SymmetricSecurityKey(Convert.FromBase64String(security key));
var credentials = new SigningCredentials(symmetricKey, SecurityAlgorithms.HmacSha256);

3) "I'm looking at building my own JWT auth service so that i can not only validate with my database, but also send back information in addition to the token (the URL of the PS web api , the database to use, etc.)"

Please note that with signed tokens, all the information contained within the token is exposed to users or other parties, even though they are unable to change it. This means you should not put secret information within the token.

4) "the PB GetJWTToken method retrieves the token from the HTTP client.   To use this, what does the GetJWTToken require in terms of the returned format? Just {"token":"<token>"} in the body?  is that based on a standard?  or is GetJWTToken built for the PS specific implementation only? "

The current GetJWTToken method is the same as SendPostRequest - - PowerScript Reference (appeon.com). It only has a specific name so the code can be easier to read.

If you return the access_token string (e..g: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiMSIsInJvbGUiOiJhZG1pbiIsIm5iZiI6MTY5OTM0MDU3OCwiZXhwIjoxNjk5OTQ1Mzc4LCJpYXQiOjE2OTkzNDA1Nzh9.JrP69Nwh_1_gqAQA0UJx1FepNSPMmOYx9ole2Weh43k) in the response body, you can use it directly. Then call SetJWTToken to set the HTTP Header.

If you return a JSON structure (serialized from a Class, see TokenResponse.cs) like the JWT template in PowerServer, you have to add more code to parse the JSON and get the access_token. It's the same as SendPostRequest.

Regards, Logan

Comment
mike S
  1. mike S
  2. Tuesday, 7 November 2023 14:02 PM UTC
thanks.

how does PS web api verify the token that is sent by PB? Does it call a URL that has validation code (slow), or does it have a copy of the secret key to generate the hash to compare it?
  1. Helpful
mike S
  1. mike S
  2. Tuesday, 7 November 2023 18:47 PM UTC
never mind, i found the code. appears that the only claim required to process is the scope. all the other stuff (email, etc) is ignored by powerserver.
  1. Helpful 1
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.