This section describes functions that relates to OAuth operations.
The following functions for OAuth described here are:
validateJwt
Validates an incoming OAuth JWT.
| Code Block |
|---|
string validateJwt(
string openIdServer,
string token,
map <string, any> claimsToValidate, //Optional
string algorithm //Optional) |
Parameters
token | The value of the tokenParameter | Description |
|---|
openIdServer
|
The destination URL of the token to be verified. | This is the JSON Web Key Set (JWKS) endpoint of an OpenID Connect (OIDC) server. For example,https://<server_domain>/.well-known/jwks.json The JWKS endpoint returns the public key set in JSON format shown below, that can be used to validate the signature of the JWT (token) issued by the OIDC provider. | Info |
|---|
JWKS CacheThe cache is accessible only from the backend and cannot be updated by users. It is used to reduce the number of connections to the openIdServer and will be reset if the workflow is aborted. | Code Block |
|---|
{
"[openIdServer + kid #1]": {
"use": "sig",
"kty": "RSA",
"kid": "e1583dde-e337-4bda-abf5-85a8fed1bafb",
"alg": "RS256",
"n": "** public key in here **",
"e": "AQAB"
},
"[openIdServer + kid #2]": {
"use": "sig",
"kty": "RSA",
"kid": "e1583dde-e337-4bda-abf5-85a8fed1bafa",
"alg": "RS256",
"n": "** public key in here **",
"e": "AQAB"
}
} |
|
The public key can be used to verify the integrity of a JWT, ensuring that it has not been tampered with. |
token
| This refers to the JWT (Json Web Token) that needs to be validated. |
claimsToValidate
| An optional map field to declare the claims as well as the corresponding value to validate against the token. |
algorithm
| An optional field to verify the signing algorithm used by the token. The possible values could be RSA256, RSA384, RSA512, ECDSA256, ECDSA384, ECDSA512. By default, the APL function uses RSA256. |
Returns | An error message on validation failure. Null on validation success. |
...
...
Example of the validateJwt function with claims and algorithm optional values populated.
...
of the validateJwt function with optional values for claims and algorithm populated. | Code Block |
|---|
string token = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJhcHBpZGFjciI6IjIiLCJhdWQiOiJhZTQ3ZThmZC1iMmJlLTQ2MjYtYTdiNS0xOWQyODk2MWJhMWUiLCJjbGllbnRfaWQiOiIxMjM0LTEyMzQtMTIzNC0xMjM0In0.plstF-xhshrrLKi3Q8J1c5FUSoUImSoYLIs5aaQ-3mvjyVpCtoqnty-Tm5zNWCj_mIRo3aQvnq5IDLUF7VsBc9l-y6vlbcXHdAT3xs3R8x_Lw72tN_t_btyt9Haof7_1DgyxKoQMf7QiwsRX6S8XHk5sWKxJ96zxOLGJdO_HvEPfJKA2eFlK3Tvm715_Bfzp_gOMMyEY1PX5ZKvD9sGsb3kZLpv9Tk8uvaWvU9AFx59paDEAAEbEOo-M27zP9rR_qecSymuDMspHl7zWmBG9kbmrJY-pMScMaHRJiGzORMCs59Nd29Kn-_w0OPPmMV6RTdWbvrgTTU_EUB9JY44rlw";
map<string, any> claimsToValidate = mapCreate(string, any);
mapSet(claimsToValidate, "appidacr", "2");
mapSet(claimsToValidate, "aud", "ae47e8fd-b2be-4626-a7b5-19d28961ba1e");
string error_message = JwtValidation.validateJwt("https://10.60.10.30/endpoint", token, claimsToValidate, "RSA512"); |
|
validateAndDecodeJwt
Validates an incoming OAuth JWT with the error message and decoded payloads as return.
| Code Block |
|---|
JwtValidateResult validateAndDecodeJwt(
string openIdServer,
string token,
map <string, any> claimsToValidate, //Optional
string algorithm //Optional) |
Parameters
Parameter | Description |
|---|
openIdServer
| This is the JSON Web Key Set (JWKS) endpoint of an OpenID Connect (OIDC) server. For example,https://<server_domain>/.well-known/jwks.json The JWKS endpoint returns the public key set in JSON format shown below, that can be used to validate the signature of the JWT (token) issued by the OIDC provider. | Info |
|---|
JWKS CacheThe cache is accessible only from the backend and cannot be updated by users. It is used to reduce the number of connections to the openIdServer and will be reset if the workflow is aborted. | Code Block |
|---|
{
"[openIdServer + kid #1]": {
"use": "sig",
"kty": "RSA",
"kid": "e1583dde-e337-4bda-abf5-85a8fed1bafb",
"alg": "RS256",
"n": "** public key in here **",
"e": "AQAB"
},
"[openIdServer + kid #2]": {
"use": "sig",
"kty": "RSA",
"kid": "e1583dde-e337-4bda-abf5-85a8fed1bafa",
"alg": "RS256",
"n": "** public key in here **",
"e": "AQAB"
}
} |
|
The public key can be used to verify the integrity of a JWT, ensuring that it has not been tampered with. |
token
| This refers to the JWT (Json Web Token) that needs to be validated. |
claimsToValidate
| An optional map field to declare the claims as well as the corresponding value to validate against the token. |
algorithm
| An optional field to verify the signing algorithm used by the token. The possible values could be RSA256, RSA384, RSA512, ECDSA256, ECDSA384, ECDSA512. By default, the APL function uses RSA256. |
Returns | An JwtValidationResult UDR which consists of error message on validation failure and decoded payloads. The error message will be Null on validation success. |
| Info |
|---|
ExampleExample of the validateAndDecodeJwt function with optional values for claims and algorithm populated. | Code Block |
|---|
import ultra.JwtValidation;
string token = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJhcHBpZGFjciI6IjIiLCJhdWQiOiJhZTQ3ZThmZC1iMmJlLTQ2MjYtYTdiNS0xOWQyODk2MWJhMWUiLCJjbGllbnRfaWQiOiIxMjM0LTEyMzQtMTIzNC0xMjM0In0.plstF-xhshrrLKi3Q8J1c5FUSoUImSoYLIs5aaQ-3mvjyVpCtoqnty-Tm5zNWCj_mIRo3aQvnq5IDLUF7VsBc9l-y6vlbcXHdAT3xs3R8x_Lw72tN_t_btyt9Haof7_1DgyxKoQMf7QiwsRX6S8XHk5sWKxJ96zxOLGJdO_HvEPfJKA2eFlK3Tvm715_Bfzp_gOMMyEY1PX5ZKvD9sGsb3kZLpv9Tk8uvaWvU9AFx59paDEAAEbEOo-M27zP9rR_qecSymuDMspHl7zWmBG9kbmrJY-pMScMaHRJiGzORMCs59Nd29Kn-_w0OPPmMV6RTdWbvrgTTU_EUB9JY44rlw";
map<string, any> claimsToValidate = mapCreate(string, any);
mapSet(claimsToValidate, "appidacr", "2");
mapSet(claimsToValidate, "aud", "ae47e8fd-b2be-4626-a7b5-19d28961ba1e");
|
|
...
...
result = (JwtValidationResult) JwtValidation. |
|
...
validateAndDecodeJwt("https://10.60.10.30/endpoint", token, claimsToValidate, "RSA512");
// To get the decoded payloads
map<string, any> claimsMap = result.claims;
debug(mapGet(claimsMap, "client_id"));
// To get the error message
debug(result.errorMessage); |
|
This chapter includes the following section:
| Child pages (Children Display) |
|---|
|
