Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

This section describes functions that relates to OAuth operations.

validateJwt

Validates an incoming OAuth JWT.

string validateJwt( 
string openIdServer, 
string token, 
map <string, any> claimsToValidate, //Optional
string algorithm //Optional)

Parameters

ParameterDescription
openIdServer

This is the URL for the JWKS server. It stores the JWKS in the cache.

JWKS Cache

The cache is accessible only from the backend and cannot be updated by users. It is used to reduce the number of connections to the openIdServer and will be reset if the workflow is aborted.

{
  "[openIdServer + kid #1]": {
    "use": "sig",
    "kty": "RSA",
    "kid": "e1583dde-e337-4bda-abf5-85a8fed1bafb",
    "alg": "RS256",
    "n": "** public key in here **",
    "e": "AQAB"
  },
  "[openIdServer + kid #2]": {
    "use": "sig",
    "kty": "RSA",
    "kid": "e1583dde-e337-4bda-abf5-85a8fed1bafa",
    "alg": "RS256",
    "n": "** public key in here **",
    "e": "AQAB"
  }
}
tokenThis refers to the JWT (Json Web Token) that needs to be validated.
claimsToValidateAn optional map field to declare the claims as well as the corresponding value to validate against the token.
algorithmAn optional field to verify the signing algorithm used by the token. The possible values could be RSA256, RSA384, RSA512, ECDSA256, ECDSA384, ECDSA512. By default, the APL function uses RSA256.
ReturnsAn error message on validation failure. Null on validation success.

Example

Example of the validateJwt function with optional values for claims and algorithm populated.
string token = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJhcHBpZGFjciI6IjIiLCJhdWQiOiJhZTQ3ZThmZC1iMmJlLTQ2MjYtYTdiNS0xOWQyODk2MWJhMWUiLCJjbGllbnRfaWQiOiIxMjM0LTEyMzQtMTIzNC0xMjM0In0.plstF-xhshrrLKi3Q8J1c5FUSoUImSoYLIs5aaQ-3mvjyVpCtoqnty-Tm5zNWCj_mIRo3aQvnq5IDLUF7VsBc9l-y6vlbcXHdAT3xs3R8x_Lw72tN_t_btyt9Haof7_1DgyxKoQMf7QiwsRX6S8XHk5sWKxJ96zxOLGJdO_HvEPfJKA2eFlK3Tvm715_Bfzp_gOMMyEY1PX5ZKvD9sGsb3kZLpv9Tk8uvaWvU9AFx59paDEAAEbEOo-M27zP9rR_qecSymuDMspHl7zWmBG9kbmrJY-pMScMaHRJiGzORMCs59Nd29Kn-_w0OPPmMV6RTdWbvrgTTU_EUB9JY44rlw";
map<string, any> claimsToValidate = mapCreate(string, any);
mapSet(claimsToValidate, "appidacr", "2");
mapSet(claimsToValidate, "aud", "ae47e8fd-b2be-4626-a7b5-19d28961ba1e");
string error_message = JwtValidation.validateJwt("https://10.60.10.30/endpoint", token, claimsToValidate, "RSA512");

validateAndDecodeJwt

Validates an incoming OAuth JWT with the error message and decoded payloads as return.

JwtValidationResult validateJwt( 
string openIdServer, 
string token, 
map <string, any> claimsToValidate, //Optional
string algorithm //Optional)

Parameters

ParameterDescription
openIdServer

This is the URL for the JWKS server. It stores the JWKS in the cache.

JWKS Cache

The cache is accessible only from the backend and cannot be updated by users. It is used to reduce the number of connections to the openIdServer and will be reset if the workflow is aborted.

{
  "[openIdServer + kid #1]": {
    "use": "sig",
    "kty": "RSA",
    "kid": "e1583dde-e337-4bda-abf5-85a8fed1bafb",
    "alg": "RS256",
    "n": "** public key in here **",
    "e": "AQAB"
  },
  "[openIdServer + kid #2]": {
    "use": "sig",
    "kty": "RSA",
    "kid": "e1583dde-e337-4bda-abf5-85a8fed1bafa",
    "alg": "RS256",
    "n": "** public key in here **",
    "e": "AQAB"
  }
}
tokenThis refers to the JWT (Json Web Token) that needs to be validated.
claimsToValidateAn optional map field to declare the claims as well as the corresponding value to validate against the token.
algorithmAn optional field to verify the signing algorithm used by the token. The possible values could be RSA256, RSA384, RSA512, ECDSA256, ECDSA384, ECDSA512. By default, the APL function uses RSA256.
ReturnsAn JwtValidationResult UDR which consists of error message on validation failure and decoded payloads. The error message will be Null on validation success.

Example

Example of the validateAndDecodeJwt function with optional values for claims and algorithm populated.
import ultra.JwtValidation;

string token = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJhcHBpZGFjciI6IjIiLCJhdWQiOiJhZTQ3ZThmZC1iMmJlLTQ2MjYtYTdiNS0xOWQyODk2MWJhMWUiLCJjbGllbnRfaWQiOiIxMjM0LTEyMzQtMTIzNC0xMjM0In0.plstF-xhshrrLKi3Q8J1c5FUSoUImSoYLIs5aaQ-3mvjyVpCtoqnty-Tm5zNWCj_mIRo3aQvnq5IDLUF7VsBc9l-y6vlbcXHdAT3xs3R8x_Lw72tN_t_btyt9Haof7_1DgyxKoQMf7QiwsRX6S8XHk5sWKxJ96zxOLGJdO_HvEPfJKA2eFlK3Tvm715_Bfzp_gOMMyEY1PX5ZKvD9sGsb3kZLpv9Tk8uvaWvU9AFx59paDEAAEbEOo-M27zP9rR_qecSymuDMspHl7zWmBG9kbmrJY-pMScMaHRJiGzORMCs59Nd29Kn-_w0OPPmMV6RTdWbvrgTTU_EUB9JY44rlw";
map<string, any> claimsToValidate = mapCreate(string, any);
mapSet(claimsToValidate, "appidacr", "2");
mapSet(claimsToValidate, "aud", "ae47e8fd-b2be-4626-a7b5-19d28961ba1e");

JwtValidationResult result = (JwtValidationResult) JwtValidation.validateAndDecodeJwt("https://10.60.10.30/endpoint", token, claimsToValidate, "RSA512");

// To get the decoded payloads
map<string, any> claimsMap = result.claims;
debug(mapGet(claimsMap, "client_id"));

// To get the error message
debug(result.errorMessage);

This chapter includes the following section:

  • No labels