Context: I want to implement payment with Payconiq. When the payment is done, Payconiq calls my API to give me payment information (status, etc).
I'm using Symfony and web-token/jwt-bundle to verify JWS.
1/ I use 'base64_decode' to get the header from the token (token format is like: header.payload.signature with an empty payload)
2/ I get the json JWKs from URL: the JWK that always seems to be used is like:
{
"kty": "EC",
"use": "sig",
"x5t#S256": "******************",
"crv": "P-256",
"kid": "kid.2021",
"alg": "ES256",
"x5c": [],
"x": *******,
"y": *******
3/ I want to verify the signature with this JWK. I do :
$serializerManager = new JWSSerializerManager([new CompactSerializer(),]);
$jws = $serializerManager->unserialize($token);
$isVerified = $jwsVerifier->verifyWithKey($jws, $jwk, 0, $payload);
(public function verifyWithKey(JWS $jws, JWK $jwk, int $signature, ?string $detachedPayload = null): bool)
My payload: body request sent by Payconiq (payment information).
$isVerified is always false.
I don't know if the problem comes from my payload or the way I use the library (documentation shows an example with a JWK like
{
"kty": "oct",
"k": "dzI6nbW4OcNF-AtfxGAmuyz7IpHRudBI0WgGjZWgaRJt6prBn3DARXgUR8NVwKhfL43QBIU2Un3AvCGCHRgY4TbEqhOi8-i98xxmCggNjde4oaW6wkJ2NgM3Ss9SOX9zS3lcVzdCMdum-RwVJ301kbin4UtGztuzJBeg5oVN00MGxjC2xWwyI0tgXVs-zJs5WlafCuGfX1HrVkIf5bvpE0MQCSjdJpSeVao6-RSTYDajZf7T88a2eVjeW31mMAg-jzAWfUrii61T_bYPJFOXW8kkRWoa1InLRdG6bKB9wQs9-VdXZP60Q4Yuj_WZ-lO7qV9AEFrUkkjpaDgZT86w2g'
}
There's is a "k" key and the result is ok (isVerified = true).
But with a JWK without "k" and with "x5c", isVerified still false.
Could someone please help me?
It looks like the verification failed because you have have forgotten to set the appropriate signature algorithm (ES256) in the $jwsVerifier object.
Find hereafter a valid example. Please change the JWK and token values with you data.
use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Core\JWK;
use Jose\Component\Signature\Algorithm\ES256;
use Jose\Component\Signature\Serializer\CompactSerializer;
use Jose\Component\Signature\JWSVerifier;
$jwk = JWK::createFromJson('{"kty":"EC","crv":"P-256","x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU","y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"}');
$token = 'eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q';
$serializerManager = new CompactSerializer();
$jws = $serializerManager->unserialize($token);
$algorithmManager = new AlgorithmManager([new ES256()]);
$jwsVerifier = new JWSVerifier($algorithmManager);
$isVerified = $jwsVerifier->verifyWithKey($jws, $jwk, 0);
if ($isVerified) {
var_dump('Signature is valid');
} else {
var_dump('Signature is NOT valid!');
}
In case the payload is detached from the token, you can set it as fourth parameter of the verifyWithKey method.
Note that it shall not be base 64 encoded.
<?php
use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Core\JWK;
use Jose\Component\Signature\Algorithm\ES256;
use Jose\Component\Signature\Serializer\CompactSerializer;
use Jose\Component\Signature\JWSVerifier;
$jwk = JWK::createFromJson('{"kty":"EC","crv":"P-256","x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU","y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"}');
$token = 'eyJhbGciOiJFUzI1NiJ9..DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q';
$payload = base64_decode('eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ');
$serializerManager = new CompactSerializer();
$jws = $serializerManager->unserialize($token);
$algorithmManager = new AlgorithmManager([new ES256()]);
$jwsVerifier = new JWSVerifier($algorithmManager);
$isVerified = $jwsVerifier->verifyWithKey($jws, $jwk, 0, $payload);
if ($isVerified) {
var_dump('Signature is valid');
} else {
var_dump('Signature is NOT valid!');
}
Related
I'm trying to validate a Google Play/Android In App Product consumed purchase server-side using PHP. I get a response back with a valid receipt, but there are two confusing issues:
The productId is always null
If I change the the $productId in the sample below to an invalid ID, it will return the exact same response. This seems to be the case for literally any string.
Here is my sample code:
$purchaseToken = 'TEST purchaseToken FROM ANDROID APP';
$appId = 'com.example.myapp';
$productId = 'com.example.myapp.iap1';
$googleClient = new \Google_Client();
$googleClient->setScopes([\Google_Service_AndroidPublisher::ANDROIDPUBLISHER]);
$googleClient->setApplicationName($appId);
$googleClient->setAuthConfig(__DIR__ . '/gp-service.json');
$googleAndroidPublisher = new \Google_Service_AndroidPublisher($googleClient);
$purchase = $googleAndroidPublisher->purchases_products->get($appId, $productId, $purchaseToken);
If I dump out $purchase, I get:
=> Google_Service_AndroidPublisher_ProductPurchase {
+acknowledgementState: 1,
+consumptionState: 1,
+developerPayload: "",
+kind: "androidpublisher#productPurchase",
+obfuscatedExternalAccountId: null,
+obfuscatedExternalProfileId: null,
+orderId: "GPA.XXXX-XXXX-XXXX-XXXXX",
+productId: null,
+purchaseState: 0,
+purchaseTimeMillis: "1602771022178",
+purchaseToken: null,
+purchaseType: 0,
+quantity: null,
+regionCode: "US",
}
Does anyone know what I am doing wrong here? It doesn't seem to be validating the productId on its end nor does it provide me the data I would need to validate it on my end, meaning I have no way of validating this IAP right now.
https://issuetracker.google.com/issues/169870112
I've found on google issue tracker that ignoring productId is an intended behaviour. I've wrote post asking if the null that we receive in response is also an intended behaviour. I hope not because as you wrote if productId will be always null we have no way of fully validating IAP right now.
$purchaseToken was undefined in Josh's answer.
<?php
$appId = "com.example.myapp";
$serviceAccountJson = __DIR__ . "/gp-service.json";
// this is the raw receipt data received on the device from Google Play; this example is obfuscated and only shows the keys for sensitive fields
$googlePlayReceipt =
'{"productId": "com.example.myapp.iap1","transactionDate": 1602714720893,"transactionReceipt": "","purchaseToken": "","transactionId": "","dataAndroid": "","signatureAndroid": "","isAcknowledgedAndroid": false,"autoRenewingAndroid": false,"purchaseStateAndroid": 1}';
// decode the json to an array we can use
$decodedGooglePlayReceipt = json_decode($googlePlayReceipt, true);
// the data that was signed for verification purposes
$data = $decodedGooglePlayReceipt["transactionReceipt"];
// the signature that was used to sign the $data
$signature = $decodedGooglePlayReceipt["signatureAndroid"];
// The "Base64-encoded RSA public key" for your app, taken from the Google Play Console
// In the Classic Console: Your App -> Development Tools -> Services & APIs -> Licensing & in-app billing
// In the New Console: Your App -> Monetize -> Monetization Setup -> Licensing
$base64EncodedPublicKeyFromGoogle = "################";
// Convert the key into the normal public key format
// Just need to split the base64 key into 64 character long lines and add the usual prefix/suffix
$openSslFriendlyKey =
"-----BEGIN PUBLIC KEY-----\n" .
chunk_split($base64EncodedPublicKeyFromGoogle, 64, "\n") .
"-----END PUBLIC KEY-----";
// Convert the key to the openssl key ID that openssl_verify() expects
// I'm unsure if this step would be necessary on all platforms
$publicKeyId = openssl_get_publickey($openSslFriendlyKey);
// Use openssl_verify() to verify the $signature (which has to be base64 decoded!) against the $data using the public key we have
$result = openssl_verify(
$data,
base64_decode($signature),
$publicKeyId,
OPENSSL_ALGO_SHA1
);
if ($result === 0) {
throw new Exception("Invalid receipt");
}
if ($result !== 1) {
throw new Exception(openssl_error_string());
}
// receipt data is valid. now let's grab the productId and purchaseToken
$decodedData = json_decode($data, true);
$purchasedProductId = decodedData["productId"];
$purchaseToken = decodedData["purchaseToken"];
// now we'll verify that the receipt is valid for our account
try {
$googleClient = new \Google_Client();
$googleClient->setScopes([
\Google_Service_AndroidPublisher::ANDROIDPUBLISHER,
]);
$googleClient->setApplicationName($appId);
$googleClient->setAuthConfig($serviceAccountJson);
$googleAndroidPublisher = new \Google_Service_AndroidPublisher(
$googleClient
);
$purchase = $googleAndroidPublisher->purchases_products->get(
$appId,
$purchasedProductId,
$purchaseToken
);
} catch (Throwable $exception) {
// this means the receipt data is unable to be validated by Google
throw new Exception("Invalid receipt");
}
After seeing Deusald's response here and starting to type up a response to the Google Issues ticket complaining about it, I had an epiphany: Google is just validating that the transaction is valid for your account and expects you to validate the receipt data server-side. They include a base64 encoded RSA SHA1 signature in the receipt data and the original data they used to create that signature, so they give you everything you need to accomplish this.
The below snippet accomplishes that verification for PHP, but it should be easily portable to other languages:
<?php
// our app's bundle id
$appId = 'com.example.myapp';
// the location of a Service Account JSON file for a Service account that has access to the "Financial Data" permissions in the Play Console
$serviceAccountJson = __DIR__ . '/gp-service.json';
// this is the raw receipt data received on the device from Google Play; this example is obfuscated and only shows the keys for sensitive fields
$googlePlayReceipt = '{"productId": "com.example.myapp.iap1","transactionDate": 1602714720893,"transactionReceipt": "","purchaseToken": "","transactionId": "","dataAndroid": "","signatureAndroid": "","isAcknowledgedAndroid": false,"autoRenewingAndroid": false,"purchaseStateAndroid": 1}';
// decode the json to an array we can use
$decodedGooglePlayReceipt = json_decode($googlePlayReceipt, true);
// the data that was signed for verification purposes
$data = $decodedGooglePlayReceipt['transactionReceipt'];
// the signature that was used to sign the $data
$signature = $decodedGooglePlayReceipt['signatureAndroid'];
// The "Base64-encoded RSA public key" for your app, taken from the Google Play Console
// In the Classic Console: Your App -> Development Tools -> Services & APIs -> Licensing & in-app billing
// In the New Console: Your App -> Monetize -> Monetization Setup -> Licensing
$base64EncodedPublicKeyFromGoogle = '################';
// Convert the key into the normal public key format
// Just need to split the base64 key into 64 character long lines and add the usual prefix/suffix
$openSslFriendlyKey = "-----BEGIN PUBLIC KEY-----\n" . chunk_split($base64EncodedPublicKeyFromGoogle, 64, "\n") . "-----END PUBLIC KEY-----";
// Convert the key to the openssl key ID that openssl_verify() expects
// I'm unsure if this step would be necessary on all platforms
$publicKeyId = openssl_get_publickey($openSslFriendlyKey);
// Use openssl_verify() to verify the $signature (which has to be base64 decoded!) against the $data using the public key we have
$result = openssl_verify($data, base64_decode($signature), $publicKeyId, OPENSSL_ALGO_SHA1);
if ($result === 1) {
// receipt data is valid. now let's grab the productId and purchaseToken
$decodedData = json_decode($data, true);
$purchasedProductId = decodedData['productId'];
$purchaseToken = decodedData['purchaseToken'];
// now we'll verify that the receipt is valid for our account
try {
$googleClient = new \Google_Client();
$googleClient->setScopes([\Google_Service_AndroidPublisher::ANDROIDPUBLISHER]);
$googleClient->setApplicationName($appId);
$googleClient->setAuthConfig($serviceAccountJson);
$googleAndroidPublisher = new \Google_Service_AndroidPublisher($googleClient);
$purchase = $googleAndroidPublisher->purchases_products->get($appId, $purchasedProductId, $purchaseToken);
} catch (Throwable $exception) {
// this means the receipt data is unable to be validated by Google
throw new Exception('Invalid receipt');
}
} elseif ($result === 0) {
throw new Exception('Invalid receipt');
} else {
throw new Exception(openssl_error_string());
}
Assuming that I received token after managed to login through openid-connect
http://xxxxxx/auth/realms/demo/protocol/openid-connect/token
{
"access_token": "xxxxxx",
"expires_in": 600,
"refresh_expires_in": 1800,
"refresh_token": "xxxxxx",
"token_type": "bearer",
"not-before-policy": xxxx,
"session_state": "xxxxx",
"scope": "email profile"
}
Is there any ways on how to decode the payload of the jwt tokens just like the https://jwt.io/ did , using PHP? Thank you.
You can use this library https://github.com/firebase/php-jwt.
Why do you want to decode the access_token though? Usually it's the id_token that gets decoded so that the client can verify the end-user's identity. The process of decoding requires the JWT to have its signature verified.
You can use the library I mentioned above. The steps are easy. You need:
The JWT
Secret Key/ Public Key
Algorithm used to encode the JWT
The following snippet is used to decode + verify a JWT. It uses HS256 so a secret key must be in the possession of the client:
$decoded = JWT::decode($jwt, $key, array('HS256'));
If you want to decode a JWT without verifying its signature (unsafe), you can create a function that separates each of the JWT section: header, body, and signature, and base64url decode it. Like so:
// Pass in the JWT, and choose which section. header = 0; body = 1; signature = 2
public function decodeJWT($jwt, $section = 0) {
$parts = explode(".", $jwt);
return json_decode(base64url_decode($parts[$section]));
}
EDIT if you're decoding + verifying an id_token which uses assymetric algorithm e.g. RSA256, RSA384 etc, you need the public key. OpenID Connect defines a JWK Set endpoint (/.well-known/jwks.json), which lists the public keys in JWK format. You can hit that endpoint and save the response in an array. In order to find which public key was used, the JWK has a kid claim/ property. Which represents the key id, the identifier of the public key. You can decode your id_token and grab its header using :
$header = decodeJWT($id_token, 0);
Then you can pass the header to the function below to get the key that was used to encode the id_token. Parameter $keys holds the JWK Set response:
function getIdTokenKey($keys, $header) {
foreach ($keys as $key) {
if ($key->kty == 'RSA') {
if (!isset($header->kid) || $key->kid == $header->kid) {
return $key;
}
}
}
throw new Exception("key not found");
}
$key = getIdTokenKey($keys, $header);
Finally call the decode function, assume it's using RSA256:
$decoded = JWT::decode($id_token, $key, array('RSA256'));
Edit(2) On another note it's the same process to decode any JWT, be it an access token, id token, or arbitrary data being passed to different entities in a server environment.
I have an authentication system set up in PHP that I am trying to use to send JSON Web Tokens to a client app in order for the app to access a .net core 2.0 api. So the authentication server takes user credentials and if the credentials pass, it generates the token using a public/private key pair I created with openssl. I am generating the token using the procedure here: http://www.phpbuilder.com/articles/application-architecture/security/using-a-json-web-token-in-php.html
I can decode the resulting token with jwt.io just fine. The decoded version looks like this:
{
"typ": "JWT",
"alg": "HS256"
}
{
"iss": "https://crm.advtis.com",
"exp": "2017-12-21 18:14:42",
"aud": "https://localhost:44354",
"data": {
"username": "pwalter#advtis.com",
"role": 1
}
}
I can enter the string from my private key file, which was used to encode the token, and jwt.io says the signature is valid.
So now I want to send the token along with a request to my API to gain access to that resource, which while debugging is found on localhost. Here is the .NET 2.0 startup code relevant to that:
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<SmartRxDBContext>();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Audience = "https://localhost:44354/";
options.TokenValidationParameters = new TokenValidationParameters {
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidIssuer = "https://crm.advtis.com/",
IssuerSigningKey = new X509SecurityKey(new X509Certificate2("C:\\Path\\To\\webOrders-cert-AspNetPubkey.cert"))
};
});
services.AddMvc();
}
The path referenced is to a pem formatted public key I generated, also using openssl, from the private key used to encode the jwt. I was trying to follow this example for the .NET Core piece - JWT Validation and Authorization in ASP.NET Core
- but of course the whole auth middleware configuration has been moved in 2.0 to the ConfigureServices method, and there is no longer an AutomaticAuthorization option.
Everything seems to be fine, but I am getting a 401 - Unauthorized Bearer error="invalid_token" error when making a request with the header as Authorization: Bearer TOKEN Anyway, I was hoping someone could give me some advice as to where I might be going wrong and/or how I could troubleshoot further.
So, I got this figured out for anyone wanting to run this same type of scenario.
My first problem was that I was using HMAC to generate the tokens on the PHP side. HMAC is not a public/private pair algorithm. I installed the firebase/php-jwt library with composer, and used that to generate my token like this:
use \Firebase\JWT\JWT;
$token = array(
"iss" => "https://crm.advtis.com",
"exp" => time()+10000,
"aud" => "https://localhost:44354",
"data" => array(
"username" => "pwalter#advtis.com",
"role" => 1
)
);
$jwt = JWT::encode($token, file_get_contents("../path/to/private.key"), 'RS256');
The key file was generated on the command line with OpenSSL. I used the same utility to generate a public key with the private key. Both files are in PEM format.
The next thing I had to do was get the public key into .NET. The easiest way I found to do use an RSACryptoServiceProvider, sort of like this:
private static RSACryptoServiceProvider myRSA = new RSACryptoServiceProvider();
public void ConfigureServices(IServiceCollection services)
{
JwtHelper.FromXmlString(myRSA, "C:\\Users\\Path\\To\\xmlPubKey.xml");
services.AddDbContext<SmartRxDBContext>();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters {
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidIssuer = "https://crm.advtis.com",
ValidateAudience = true,
ValidAudience = "https://localhost:44354",
IssuerSigningKey = new RsaSecurityKey(myRSA.ExportParameters(false))
};
});
services.AddMvc();
}
The JwtHelper.FromXml() method was adapted from here, because there is no way in .NET 2.0 to import or set parameters from XML within the RSA Provider, so that method parses the XML and sets the parameters like so:
public static void FromXml(this RSA rsa, string filepath)
{
RSAParameters parameters = new RSAParameters();
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(filepath);
if (xmlDoc.DocumentElement.Name.Equals("RSAKeyValue"))
{
foreach (XmlNode node in xmlDoc.DocumentElement.ChildNodes)
{
switch (node.Name)
{
case "Modulus": parameters.Modulus = (string.IsNullOrEmpty(node.InnerText) ? null : Convert.FromBase64String(node.InnerText)); break;
case "Exponent": parameters.Exponent = (string.IsNullOrEmpty(node.InnerText) ? null : Convert.FromBase64String(node.InnerText)); break;
case "P": parameters.P = (string.IsNullOrEmpty(node.InnerText) ? null : Convert.FromBase64String(node.InnerText)); break;
case "Q": parameters.Q = (string.IsNullOrEmpty(node.InnerText) ? null : Convert.FromBase64String(node.InnerText)); break;
case "DP": parameters.DP = (string.IsNullOrEmpty(node.InnerText) ? null : Convert.FromBase64String(node.InnerText)); break;
case "DQ": parameters.DQ = (string.IsNullOrEmpty(node.InnerText) ? null : Convert.FromBase64String(node.InnerText)); break;
case "InverseQ": parameters.InverseQ = (string.IsNullOrEmpty(node.InnerText) ? null : Convert.FromBase64String(node.InnerText)); break;
case "D": parameters.D = (string.IsNullOrEmpty(node.InnerText) ? null : Convert.FromBase64String(node.InnerText)); break;
}
}
}
else
{
throw new Exception("Invalid XML RSA key.");
}
rsa.ImportParameters(parameters);
}
So that's the gist of it. Now I can issue JWTs from my PHP server to a client application. Then I can send the JWTs over to my .NET Core 2.0 API to get access to endpoints protected by [Authorize] attribute.
I'm using Laravel/Lumen as an API for the backend of a webapp and run into a hiccup.
In an example I have a route that does not need the user to be authenticated. But I do want to check in the routes controller if the user visiting has a valid token.
So I wrote the following:
if ($tokenFetch = JWTAuth::parseToken()->authenticate()) {
$token = str_replace("Bearer ", "", $request->header('Authorization'));
} else {
$token = '';
}
I believe the above will check the Bearer token is valid else it will return a blank variable.
The following is my entire Controller.
public function show($url, Request $request)
{
if ($tokenFetch = JWTAuth::parseToken()->authenticate()) {
$token = str_replace("Bearer ", "", $request->header('Authorization'));
} else {
$token = 'book';
}
return response()->json(['token' => $token]);
}
The Problem
If I a pass in a valid Token Bearer, it returns the token but if I pass in an invalid one I get the following error:
TokenInvalidException in NamshiAdapter.php line 62:
Token Signature could not be verified.
If I don't pass a token at all:
JWTException in JWTAuth.php line 195:
The token could not be parsed from the request
Is there a way to check if a token is passed and if it has then check if its valid, but also if one has not been passed then return a blank return?
You can wrap it inside try/catch block
public function show($url, Request $request)
{
try {
$tokenFetch = JWTAuth::parseToken()->authenticate())
$token = str_replace("Bearer ", "", $request->header('Authorization'));
}catch(\Tymon\JWTAuth\Exceptions\JWTException $e){//general JWT exception
$token = 'book';
}
return response()->json(['token' => $token]);
}
There are few exceptions that you might want to handle separately (jwt-auth/Exceptions)
Also as you're using laravel 5 you can global handling for JWT exceptions ,not recommended in this case but you should know of this option and choose yourself. app/Exceptions/Handler.php and inside render method add [at the top]
if ($e instanceof \Tymon\JWTAuth\Exceptions\JWTException) {
//what happen when JWT exception occurs
}
Yes it's possible to achieve what you want.
Check if a token is passed:
If you check in the documentation of parseToken you'll see that the algorithm to check if we pass a token is:
if (! $token = $this->parseAuthHeader($header, $method)) {
if (! $token = $this->request->query($query, false)) {
}
}
// which it will be in your case:
$hasToken = true;
$header = $request->headers->get('authorization');
if (! starts_with(strtolower('authorization'), 'bearer')) {
if (! $request->query('token', false)) {
$hasToken = false;
}
}
Check if a token is valid:
Please note that the NamshiAdapter use the Namshi\JOSE package so read the documentation here.
In NamshiAdapter.php as you can see the line who rise your error are:
if (! $jws->verify($this->secret, $this->algo)) {
throw new TokenInvalidException('Token Signature could not be verified.');
}
// in your case:
// + try to var_dump $this->secret, $this->algo
// + use Namshi\JOSE\JWS
// if you var_dump
$jsw = new JWS(['typ' => 'JWT', 'alg' => $algo]);
$jws = $this->jws->load($token, false);
// if you want to follow the documentation of Namshi\JOSE
$jws = JWS::load($tokenString, false, $encoder, 'SecLib');
// again var_dump for $this->secret, $this->algo
$isValidToken = ($jws->verify($this->secret, $this->algo));
I have a web application developed in .net framework. I am trying to implement Oauth in sugarCRM in order to integrate it with my applications.
The Oauth mechanism given by sugarCRM is using PHP Click Here...
where as, my application is designed in ASP.
I am trying to figure out solution (like converting php code to asp or implementing the same mechanism in my application) for same but got no solution.any help would be appreciated.
after much pain, I've got my .Net Code working on SugarCRM.....
This is what I did....all in a Console app for me. This a proof of concept and so everthing is hard coded for now!
Use Nuget to Install OAuth by Daniel Crenna
Step 1: Establish Consumer Key
Go into Admin -> OAuth Keys section on SugarCRM and create a new record, I used Key & Secret.
Step 2: Creating a Request Token
private static void CreateRequestToken()
{
// Creating a new instance directly
OAuthRequest client = new OAuthRequest
{
Method = "GET",
Type = OAuthRequestType.RequestToken,
SignatureMethod = OAuthSignatureMethod.HmacSha1,
ConsumerKey = "Key",
ConsumerSecret = "Secret",
RequestUrl = "http://localhost/service/v4/rest.php",
Version = "1.0",
SignatureTreatment = OAuthSignatureTreatment.Escaped
};
// Using URL query authorization
string auth = client.GetAuthorizationQuery(new Dictionary<string, string>() { { "method", "oauth_request_token" } });
var request = (HttpWebRequest)WebRequest.Create("http://localhost/service/v4/rest.php?method=oauth_request_token&" + auth);
var response = (HttpWebResponse)request.GetResponse();
NameValueCollection query;
using (StreamReader sr = new StreamReader(response.GetResponseStream()))
{
string result = sr.ReadToEnd();
query = HttpUtility.ParseQueryString(result);
}
Console.WriteLine(query["authorize_url"]);
Console.WriteLine(query["oauth_token"]);
Console.WriteLine(query["oauth_token_secret"]);
}
This is the tricky part that took me ages to figure out, notice the requesturl is without the query part in the client, and you have add it to the GetAuthorizationQuery call AND to the actual WebRequest url.
Note down the 3 items ready for Step 4.
Step 3 Approve Request Token
Visit the url "authorize_url" above and also add &token= "oauth_token". For this was:
http://localhost/index.php?module=OAuthTokens&action=authorize&token=adae15a306b5
Authorise the token and record the Token Authorisation Code.
Step 4 Request Access Token
private static void RequestAccessToken()
{
OAuthRequest client = new OAuthRequest
{
Method = "GET",
Type = OAuthRequestType.AccessToken,
SignatureMethod = OAuthSignatureMethod.HmacSha1,
ConsumerKey = "Key",
ConsumerSecret = "Secret",
RequestUrl = "http://localhost/service/v4/rest.php",
Version = "1.0",
SignatureTreatment = OAuthSignatureTreatment.Escaped,
Token = "adae15a306b5",
TokenSecret = "e1f47d2a9e72",
Verifier = "33e2e437b2b3"
};
// Using URL query authorization
string auth = client.GetAuthorizationQuery(new Dictionary<string, string>() { { "method", "oauth_access_token" } });
var request = (HttpWebRequest)WebRequest.Create("http://localhost/service/v4/rest.php?method=oauth_access_token&" + auth);
var response = (HttpWebResponse)request.GetResponse();
NameValueCollection query;
using (StreamReader sr = new StreamReader(response.GetResponseStream()))
{
string result = sr.ReadToEnd();
query = HttpUtility.ParseQueryString(result);
}
Console.WriteLine(query["oauth_token"]);
Console.WriteLine(query["oauth_token_secret"]);
}
Token and TokenSecret are from Step 2, Verifier is the Auth Code from Step 3.
Step 5 Use the Access Token
I'm just using the session id as Recommended by the Documentation, so to get the sessionId
private static void GetSessionId()
{
OAuthRequest client = new OAuthRequest
{
Method = "GET",
Type = OAuthRequestType.ProtectedResource,
SignatureMethod = OAuthSignatureMethod.HmacSha1,
ConsumerKey = "Key",
ConsumerSecret = "Secret",
RequestUrl = "http://localhost/service/v4/rest.php",
Version = "1.0",
SignatureTreatment = OAuthSignatureTreatment.Escaped,
Token = "adae15a306b5",
TokenSecret = "2d68ecf5152f"
};
string auth = client.GetAuthorizationQuery(new Dictionary<string, string>()
{
{ "method", "oauth_access" },
{ "input_type", "JSON" },
{ "request_type", "JSON" },
{ "response_type", "JSON" }
});
var request = (HttpWebRequest)WebRequest.Create("http://localhost/service/v4/rest.php?method=oauth_access&input_type=JSON&request_type=JSON&response_type=JSON&" + auth);
var response = (HttpWebResponse)request.GetResponse();
dynamic o;
using (StreamReader sr = new StreamReader(response.GetResponseStream()))
{
string result = sr.ReadToEnd();
o = Newtonsoft.Json.JsonConvert.DeserializeObject(result);
}
Console.WriteLine("SessionId: {0}", o.id);
}
Here I'm using JSON.Net to parse the Json into a dynamic object for easy access to the id.
Step 6 Make it do something....
Over to you!
Pretty painful experience, but at least its working for me.....
Tim
I didn't get what you meant by implementing in SugarCRM way. But if you can't use dotnetopenauth, you can spin your own OAuth using RestSharp or Hammock