I am working on Identity server and OpenId connect and since I need to do the implementation in a more dynamic manner and on multiple microservices in different languages, I am trying to understand the flow and doing the implementation with different stacks without depending on the client SDKs provided by the particular Identity server provider we are using. (in production, most likely, we will use some already built libs but my intention now is to grasp the concept of verification from ground up)
Now I am trying to simulate a case where we already have the access and id tokens and they are sent to a simple REST PHP function, and:
Do verification of JWT signature
Expiration check on the token
Validation of Scope & Audience
Pass username back to the frontend
(not relevant but I generated the access_token with Authorisation code flow -> PKCE)
This is my verification flow, I am using jose-php packages:
# public key
$components = array(
'kty' => 'RSA',
'e' => 'AQAB',
'n' => 'x9vNhcvSrxjsegZAAo4OEuo...'
);
$public_key= JOSE_JWK::decode($components);
$jwt_string = 'eyJ...'; // Access_token
$jws = JOSE_JWT::decode($jwt_string);
$result = $jws->verify($public_key, 'RS256');
However, this returns undefined for $result. I am debugging other parts of the PHP script, and I will share my result with everyone here once I find a fix but I think there is a better way (not with provider exclusive client SDKs) to do this flow and there is a high chance that I am missing something.
If anyone has a background with JWT token verification with PHP for identity server, It will be really great if you can share any better alternative or suggestions to do this here
Thank you in advance :)
This is an answer for anyone who seeks a simple verification middleware for jwks, might not be ideal for production!!! You are more than welcome to suggest a better solution :)
I switched to firebase/php-jwt as it is more convenient and straightforward to use and it was fairly easier to go quickly through its code and it does not return undefined anymore. Now the middleware code for validation looks like below:
$jwks = ['keys' => [[], []];
// JWK::parseKeySet($jwks) returns an associative array of **kid** to private
// key. Pass this as the second parameter to JWT::decode.
// Instead of RS256 use your own algo
// $data can return error so wrap it in try catch and do as you desire afterward
$data= (array) JWT::decode("YOUR_ACCESS_TOKEN", JWK::parseKeySet($jwks), ['RS256', 'RS256']);
For those who are willing to test a sample encoding and decoding process, feel free to use the private key and public key below: (Credit to firebase documentation with a bit of tweaking on my side to convert it to a simple Laravel controller)
<?php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use \Firebase\JWT\JWT;
use \Firebase\JWT\JWK;
use Illuminate\Support\Facades\Http;
class JWTValidation extends Controller
{
public function bundle(){
$privateKey = <<<EOD
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC8kGa1pSjbSYZVebtTRBLxBz5H4i2p/llLCrEeQhta5kaQu/Rn
vuER4W8oDH3+3iuIYW4VQAzyqFpwuzjkDI+17t5t0tyazyZ8JXw+KgXTxldMPEL9
5+qVhgXvwtihXC1c5oGbRlEDvDF6Sa53rcFVsYJ4ehde/zUxo6UvS7UrBQIDAQAB
AoGAb/MXV46XxCFRxNuB8LyAtmLDgi/xRnTAlMHjSACddwkyKem8//8eZtw9fzxz
bWZ/1/doQOuHBGYZU8aDzzj59FZ78dyzNFoF91hbvZKkg+6wGyd/LrGVEB+Xre0J
Nil0GReM2AHDNZUYRv+HYJPIOrB0CRczLQsgFJ8K6aAD6F0CQQDzbpjYdx10qgK1
cP59UHiHjPZYC0loEsk7s+hUmT3QHerAQJMZWC11Qrn2N+ybwwNblDKv+s5qgMQ5
5tNoQ9IfAkEAxkyffU6ythpg/H0Ixe1I2rd0GbF05biIzO/i77Det3n4YsJVlDck
ZkcvY3SK2iRIL4c9yY6hlIhs+K9wXTtGWwJBAO9Dskl48mO7woPR9uD22jDpNSwe
k90OMepTjzSvlhjbfuPN1IdhqvSJTDychRwn1kIJ7LQZgQ8fVz9OCFZ/6qMCQGOb
qaGwHmUK6xzpUbbacnYrIM6nLSkXgOAwv7XXCojvY614ILTK3iXiLBOxPu5Eu13k
eUz9sHyD6vkgZzjtxXECQAkp4Xerf5TGfQXGXhxIX52yH+N2LtujCdkQZjXAsGdm
B2zNzvrlgRmgBrklMTrMYgm1NPcW+bRLGcwgW2PTvNM=
-----END RSA PRIVATE KEY-----
EOD;
$publicKey = <<<EOD
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8kGa1pSjbSYZVebtTRBLxBz5H
4i2p/llLCrEeQhta5kaQu/RnvuER4W8oDH3+3iuIYW4VQAzyqFpwuzjkDI+17t5t
0tyazyZ8JXw+KgXTxldMPEL95+qVhgXvwtihXC1c5oGbRlEDvDF6Sa53rcFVsYJ4
ehde/zUxo6UvS7UrBQIDAQAB
-----END PUBLIC KEY-----
EOD;
$payload = array(
"iss" => "example.org",
"aud" => "example.com",
"iat" => 1356999524,
"nbf" => 1357000000
);
$jwt = JWT::encode($payload, $privateKey, 'RS256');
//echo "Encode:\n" . print_r($jwt, true) . "\n";
$decoded = JWT::decode($jwt, $publicKey, array('RS256'));
/*
NOTE: This will now be an object instead of an associative array. To get
an associative array, you will need to cast it as such:
*/
$decoded_array = (array) $decoded;
return response()->json(['jwt' => $jwt, 'decoded' => $decoded]);
//echo "Decode:\n" . print_r($decoded_array, true) . "\n";
}
}
Now back to my first question again :)
In case that I validate the key with the help of this library as the first piece of the code, am I exposing any vulnerability? or will it be a time-consuming task in long run to maintain a custom verification flow like this?
I'm in the same process right now :).
The biggest downside now is that I have to decode the JWT first to extract the iss endpoint, then call the .well-known/openid-configuration endpoint, extra the correct key from there and validate the JWT again with the correct key information.
I'm doing it manually now, because I'm not aware of any libraries that support this.
Related
I am trying to make a test transaction using my Laravel 7 app and Authorize.net.
After submitting the sample data, I'm getting:
The element 'createTransactionRequest' in namespace 'AnetApi/xml/v1/schema/AnetApiSchema.xsd' has invalid child element 'clientId' in namespace 'AnetApi/xml/v1/schema/AnetApiSchema.xsd'. List of possible elements expected: 'merchantAuthentication' in namespace 'AnetApi/xml/v1/schema/AnetApiSchema.xsd'.
Anyone know what's causing this error or how to fix it?
Well, I'll answer my own question since it might help others. The problem is the error message in the Authorize.net response is really vague.
Kurt Friars' comment was helpful, since it pointed me in the right direction. As for Mansour Hamcherif's suggestion, the merchantAuthentication object was set in my app, it just didn't have the right values, so it wasn't that.
The solution for me was setting the proper values to setName() and setTransactionKey(). The previous developer who had worked on this project had left values and the credentials had expired. I did a Linux text search for "setTransactionKey", which lead me to the correct PHP file where I need to set:
$merchantAuthentication = new AnetAPI\MerchantAuthenticationType();
$merchantAuthentication->setName('EnterYourLoginNameHere');
$merchantAuthentication->setTransactionKey('EnterYourTransactionKey');
After that, I cleared all of my Laravel app's caches as well as my browser's caches, did a hard reload, tried a transaction again and it worked! I got:
This transaction has been approved., Transaction ID: **********.
You may want to check the log for the raw request, it's likely the merchantAuthentication object has not been set, if you are using the PHP SDK I recommend checking the SimpleCodeConstants.php file and make sure your merchant credentials constants are set.
For example, if I set my merchant credentials to NULL, I get the same E00003 error as a result of sending the following raw request:
{"createTransactionRequest":{"merchantAuthentication":[],"clientId":"sdk-php-2.0.0-ALPHA", ...}
The actual questions
How to "map" access restrictions so it can be used from php and javasript?
What kind of method should I use to share access restrictions / rules between php and javascript?
Explanation
I have created a RESTful backend using php which will use context-aware access control to limit data access and modification. For example, person can modify address information that belongs to him and can view (but not modify) address information of all other persons who are in the same groups. And of course, group admin can modify address details of all the persons in that group.
Now, php side is quite "simple" as that is all just a bunch of checks. Javascript side is also quite "simple" as that as well is just a bunch of checks. The real issue here is how to make those checks come from the same place?
Javascript uses checks to show/hide edit/save buttons.
PHP uses checks to make the actual changes.
and yes,
I know this would be much more simpler situation if I ran javascript (NodeJS or the like) on server, but the backend has already been made and changing ways at this point would cause major setbacks.
Maybe someone has already deviced a method to model access checks in "passive" way, then just use some sort of "compiler" to run the actual checks?
Edit:
Im case it helps to mention, the front-end (js) part is built with AngularJS...
Edit2
This is some pseudo-code to clarify what I think I am searching for, but am not at all certain that this is possible in large scale. On the plus side, all access restrictions would be in single place and easy to amend if needed. On the darkside, I would have to write AccessCheck and canAct functions in both languages, or come up with a way to JIT compile some pseudo code to javascript and php :)
AccessRestrictions = {
Address: {
View: [
OWNER, MEMBER_OF_OWNER_PRIMARY_GROUP
],
Edit: [
OWNER, ADMIN_OF_OWNER_PRIMARY_GROUP
]
}
}
AccessCheck = {
OWNER: function(Owner) {
return Session.Person.Id == Owner.Id;
},
MEMBER_OF_OWNER_PRIMARY_GROUP: function(Owner) {
return Session.Person.inGroup(Owner.PrimaryGroup)
}
}
canAct('Owner', 'Address', 'View') {
var result;
AccessRestrictions.Address.View.map(function(role) {
return AccessCheck[role](Owner);
});
}
First things first.
You can't "run JavaScript on the server" because Javascript is always run on the client, at the same way PHP is always run on the server and never on the client.
Next, here's my idea.
Define a small library of functions you need to perform the checks. This can be as simple as a single function that returns a boolean or whatever format for your permissions. Make sure that the returned value is meaningful for both PHP and Javascript (this means, return JSON strings more often than not)
In your main PHP scripts, include the library when you need to check permissions and use the function(s) you defined to determine if the user is allowed.
Your front-end is the one that requires the most updates: when you need to determine user's permission, fire an AJAX request to your server (you may need to write a new script similar to #2 to handle AJAX requests if your current script isn't flexible enough) which will simply reuse your permissions library. Since the return values are in a format that's easily readable to JavaScript, when you get the response you'll be able to check what to show to the user
There are some solutions to this problem. I assume you store session variables, like the name of the authorized user in the PHP's session. Let's assume all you need to share is the $authenticated_user variable. I assume i'ts just a string, but it can also be an array with permissions etc.
If the $authenticated_user is known before loading the AngularJS app you may prepare a small PHP file whish mimics a JS file like this:
config.js.php:
<?php
session_start();
$authenticated_user = $_SESSION['authenticated_user'];
echo "var authenticated_user = '$authenticated_user';";
?>
If you include it in the header of your application it will tell you who is logged in on the server side. The client side will just see this JS code:
var authenticated_user = 'johndoe';
You may also load this file with ajax, or even better JSONP if you wrap it in a function:
<?php
session_start();
$authenticated_user = $_SESSION['authenticated_user'];
echo <<<EOD;
function set_authenticated_user() {
window.authenticated_user = '$authenticated_user';
}
EOD;
?>
I have an application where information from the database is sent back as a JSON response.
Tailoring the jQuery side to handle each and every response seems like a lot of effort for little adaptability.
In what ways could the JSON format could be standardized ? Additionaly, is there a way to "slot in" a handler in jQuery ?
I've been thinking along the lines of something like this:
{
"replyCode": "OK"/"Error",
"replyMessage": "Operation successful"/"Could not connect",
"returnData": ... // Entities go here
}
Standardizing the JSON response is something that needs to be customized for each application; only you have the necessary data to decide exactly what actions should be supported and how they would be communicated over JSON.
As an example, in the past I have used both a "response sniffer" logic (where the handler checks for specific properties in the response and processes each one that exists in a specific manner) and a "command list" logic (where the response always contains an array of objects that describe specific actions that must be taken and the handler executes them) in this situation.
I don't believe that a reply code and message is necessary in most situations as the HTTP response header can communicate this information effectively.
Whatever you decide to do, .ajaxComplete (and its siblings .ajaxSuccess and .ajaxError) can be used to install global response handlers on the client side that run on completion of every request.
First, you should really take a look at the video RESTful API Design from the apigee guys. It contains a ton of good advice for RESTful APIs. Brian Mulloy gives also feedback on how responses should look like.
Next, you should take a look at some libs in php for developing RESTful APIs. Some of these gives you a solid way of how to return responses.
https://github.com/Respect/Rest
https://github.com/MArcJ/PHPRestService
https://github.com/kla/php-activerecord
or more https://github.com/search?q=php%20rest
With this you should good to go to build well RESTful APIs.
Why not have a central function that does the final echoing of the JSON as the response.
function returnJSON($code,$data=array()){
echo json_encode(
array(
'replyCode'=>$code,
'replyMessage'=>getReturnMessageByCode($code),
'returnData'=>$data
)
);
}
Now at the end of every AJAX call you make to retrieve this data, your PHP code would do something like this -
$data = fetchData();
if ($data){
returnJSON('OK',$data);
}else{
returnJSON('FAIL');
}
exit();
Standardizing your responses is a great idea and is also your responsibility. Unless your framework has other options its up to you to make your code as robust as possible.
I'm now using phonegap to develop a application. I have found a similar php code which can assess to a local server here, but unfortunately phonegap doesn't support php.
Can anyone help me to 'translate' the php code below into JQuery ajax or any other javascript code? Thanks!
require_once('nusoap.php');
/* create client */
$endpoint = "http://www.pascalbotte.be/rcx-ws/rcx";
$ns = "http://phonedirlux.homeip.net/types";
$client = new soapclient($endpoint);
// queryRcx is the name of the method you want to consume
// RcxQuery_1 is the name of parameter object you have to send
// x and y are the names of the integers contained in the object
$result = $client->call('queryRcx',array('RcxQuery_1' => array('x' => 12,'y' => 13)), $ns);
print_r($result);
Step 1. Resolve the 404 associated with http://www.pascalbotte.be/rcx-ws-rpc/rcx?WSDL
Step 2. Get a JavaScript SOAP client.
Step 3. ... ... ...
Step 4. PROFIT!
Seriously though. All this really takes is a JavaScript based SOAP client. While they aren't a dime-a-dozen, they are pretty common. The one above is for jQuery, but it is easy enough to find other implementations.
The fact that the WSDL definition causes a 404 may or may not be a problem as the actual wsdl definition is technically optional, but you really want to figure out what happened.
You can add this header to the PHP file or .htaccess to avoid problems with cross domain reqs:
header('Access-Control-Allow-Origin: *');
Replace the all(*) with your domain ;)
Good luck!
I'm building an application that's self-hosted, and I'd like to have some form of licensing to minimize fraudulent downloads/distribution.
Of course, I'm well aware that being self-hosted someone could simply rip out all license features from the source-code, but the con's of using a compiler like Zend Guard or ionCube far outweigh the pro's in my opinion - nonetheless I'd like to have some basic form of license security.
What I originally had in mind to do was: user logs in with license on app -> app posts license to my server -> server sends a response via a HTTP GET request -> app evaluates response, and if license is valid sets a value in a session variable (A), if invalid returns to login screen with an error.
The problem with this is, the evaluation of response/session setting is readily available in a application file, so if the user knows a little PHP and checks in on that source code, they'll realize all they'll need to do is set a session themselves with a particular $_SESSION['_valid_license'] value, and they'll be good to go.
What I was considering doing to make it a little less easy was (if possible) to post PHP back as a response, and then have the application file execute it, for example:
My original code:
$response = $_GET['response'];
if($response == "fjdkuf9") {
start_session();
$_SESSION['_valid_license'] = "YES";
header("Location:" . $rp . "/admin/");
} else {
header("Location:" . $rp . "/login/?err=1");
}
My new concept:
$response = $_POST['response'];
str_replace("\", "", $response);
With the following being posted as response:
start_session();
\$_SESSION[\'_valid_license\'] = \"YES\";
header(\"Location:\" . \$rp . \"/admin/\");
Would that execute $response as actual PHP code after str_replace()? If possible, this would be great, as it would mean evaluation would be done on my server rather than within the self-hosted app itself.
Your second solution is just as insecure as the first. here's what I would do:
Your application POSTS to your server a serial number or some other identifying information.
Your server validates the serial number against the user's account or whatever and returns a unique response.
If that response is successful, you allow the user to continue. Obviously you'd want to implement some sort of caching mechanism here so you're not having to hit you server on every page view.
Putting the responsibility of validation on your server instead of self-hosted code is much more secure. You would need to encrypt the data that is sent BTW so that someone couldn't simply emulate the success response, but you get the idea.