Page tree
Skip to end of metadata
Go to start of metadata

N.B.: Using this node requires the WSF license option.

This node splits a JSON Web Token (JWT) into a JSON header and a JSON payload, and verifies signature. A JWT is composed by 2 or 3 parts depends of if it is signed or not.

  • Part 1: header
header = '{"alg":"HS256","typ":"JWT"}'
  • Part 2: payload
payload = '{"loggedInAs":"admin","iat":1422779638}'
  • Part 3: signature
key           = 'secretkey'
unsignedToken = encodeBase64(header) + '.' + encodeBase64(payload)
signature     = HMAC-SHA256(key, unsignedToken)


Parameters

General

  • Display name : the name of the node as it will appear in the Workflow. Replaces the term “JWT Parsing”.
  • Token : String or expression containing a JWT. Example:  ${http.request.query.vars['jwt']}
  • JSON Provided prefix : specifies the prefix for JSON provided attributes (header and payload). Example: if prefix is "idp.jwt", provided attributes will be "idp.jwt.header" and "idp.jwt.payload".

Signature

It is possible to verify JWT signature specifying an algoritm and a key contained by Keystores.

  • Algorithm : Options of token signature verification.

    • None : signature will not be verified even if exist. The "jwt.parsing.signature.failure" attribute will always be "false".

    • Auto detect (Use algorithm specified in 'alg' claim): signature verification will be done depends of "alg" claim contains in JSON header.

    For next options, signature verification will be done with selected algorithm (sign algorithms defined by specification RFC7518)
    • HS256 (HMAC using SHA-256)

    • HS384 (HMAC using SHA-384)

    • HS512 (HMAC using SHA-512)
    • RS256 (RSASSA-PKCS1-v1_5 using SHA-256)
    • RS384 (RSASSA-PKCS1-v1_5 using SHA-384)
    • RS512 (RSASSA-PKCS1-v1_5 using SHA-512)
  • Keystore : profile containing the key to use. See Keystores.
  • Key Name : name of the key used to verify signature. For HMAC algorithms (HS*), key's type must be "passphrase". For RSA algorithms (RS*), key's type must be "public".

 

Required attributes

This node requires no attributes.

Provided attributes

This node provides two JSON attributes that contains the JWT header and JWT payload.

This node provides "jwt.parsing.failure" and "jwt.parsing.err_message" attributes. The "jwt.parsing.failure" attribute (Boolean) will be set to "true" if a processing error occurs while extracting JSON header and payload . The "jwt.parsing.err_message" attribute will then be filled in to provide a message about the error that was raised.

This node also provides "jwt.parsing.signature.failure" and "jwt.parsing.signature.err_message" attributes. The "jwt.parsing.signature.failure" attribute (Boolean) will be set to "true" if signature is unverified or if a processing error occurs while signature verification. The "jwt.parsing.signature.err_message" attribute will then be filled in to provide a message about the error that was raised.

Be careful, even if a failure occured, JSON header and payload attributes will be filled in.

 

Example of provided attributes depends of JSON header "alg" claim and "Algorithm" parameter value:

 

header: { "alg": "none" }

"Algorithm" parameter valuejwt.parsing.signature.failurejwt.parsing.signature.err_message
Nonefalse 
Auto detectfalse 
HS256trueInvalid JSON Web Token. Missing signature.
RS384trueInvalid JSON Web Token. Missing signature.
 header: { "alg": "HS256" }
Nonefalse 
Auto detectfalse 
HS256false 
HS384trueSpecified algorithm in alg claim '...' is not the same than in configuration '...'
 header: { "alg": "RS384" }
Nonefalse 
Auto detectfalse 
HS256trueSpecified algorithm in alg claim '...' is not the same than in configuration '...'
RS384false 
 header: { "alg": "RS541" }
Nonefalse 
Auto detecttrueSpecified algorithm in alg claim '...' is not supported
HS256trueSpecified algorithm in alg claim '...' is not the same than in configuration '...'
RS384trueSpecified algorithm in alg claim '...' is not the same than in configuration '...'