cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Verify xsuaa generated JWT , using nodejs jsonwebtoken package

Go to solution
sreehari_vpillai
Active Contributor

on ‎05-15-2023 2:26 PM

0 Kudos

Hi ,

I have an application deployed in Cloud Foundry and has an xsuaa instance bound. Using post man , I generated an access token using client id and client secret. And I get the token . I could decode the token in jwt.io website ( to say that token is in good order ) .

Now, Can I verify the token programmatically outside the cloud foundry , if I have the verification key from xsuaa ?

I tried this way

  • Created a .pem file , copying the verification key

  • replaced \n with actual new lines.
  • Put the code together 
const fs = require("fs");
const jwt = require("jsonwebtoken");

var cert = fs.readFileSync('public.pem','utf8');

var token = '<token from postman>';
jwt.verify(token, cert, function (err, decoded,) {
    //goes to error says "invalid signature"
    console.log(err);
});

It always goes to "invalid signature" error.

What could've gone wrong ?

Sreehari

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎05-15-2023 3:52 PM
0 Kudos

Hello sreehari.vpillai
I've done the following:
Create service instance of xsuaa
Create service key
View service key
Copy service key into node app (shortened below)
Then use below code.
The code uses xssec to fetch a token programmatically (instead of using postman)
Then use the public key which is provided in the credentials (service key) for verification.

Hope this helps!
Cheers,
Carlos

const jsonwebtoken = require("jsonwebtoken");const xssec = require('@sap/xssec');
const CREDENTIALS = {
   "clientid": "sb-na-62b4996f-21bd-4c6b-85f7-dac24e36af1b!t78007",
   "clientsecret": "V6YgP5fkfqn5r2UCojs=",
   "url": "https://mysubdomain.authentication.eu.hana.ondemand.com",
   "verificationkey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr9ApOgCp/7GuctK/dcyJ\nBaFK2Uzhh7RkVsp1Sfg04u6a6ewZEhlPrdlD/+QfdetBzaDbIXyQf37JQjL/z2YD\RFrFP7b/d0k82ImSmOTwAUBhnB/BR/UERNUnPpbfGICBRkL8AmnDYm/\nWpYUDOk65Xj0kiCe4Pqi5S6I/CLTpXVf6gxrxVSojBYib9VlEDTBORdcxRpwSAEF\nMwIDAQAB\n-----END PUBLIC KEY-----"}


xssec.requests.requestClientCredentialsToken(null, CREDENTIALS, null, null, (err, token)=>{
   jsonwebtoken.verify(token, CREDENTIALS.verificationkey, (err, decoded) => {
      console.log("client id: " + decoded.cid)   
   })
})
Show replies
Show replies
sreehari_vpillai
Active Contributor
‎05-15-2023 5:51 PM
0 Kudos

My bad. It was a multi tenancy shared xsuaa instance. I token was generated with the auth URL of consumer , and verified with verification key of provider ( what else would I have access to anyway ) . I generated one with provider auth api , and verified.

both your way and my way worked. thanks mate

sreehari_vpillai
Active Contributor
‎05-16-2023 6:22 AM
0 Kudos

Have you tried this in multi tenancy mode ? What verification token shall we use , if the token is issued by the consumer ? Any additional input to be passed while verifying the token ?

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
‎05-16-2023 8:02 AM

To try the code snippet, I just created a service instance, no MT app.
The verification key is contained in the binding information.

To get the verification key at runtime, you can take it from the JKU:

When you introspect the JWT token, you have the required information in the JWT header:

{
  "alg": "RS256",
 "jku": "https://rsubdomain.authentication.eu.hana.ondemand.com/token_keys",
  "kid": "default-jwt-key--19292961",
  "typ": "JWT"
  "jid": "xvW3li3J7RiMcjiYmvnkGE4NWKp84="
}

Using the key id (kid) you can find the correct key in the JKU Url

Kind Regards,

sreehari_vpillai
Active Contributor
‎05-17-2023 11:45 AM
0 Kudos

Thanks carlos.roggan - I could verify in MTX scenario .

Answers (0)

Ask a Question