CODEWITHSUNDEEP
javapythonjwtxero-apijjwt
Bernie
Bernie

Reputation: 31

Parsing a RS256 JWT from Xero using JJWT

I'm trying to parse a JWT from Xero for SSO. Xero documentation states "The JWT is a JSON payload signed with your client secret and the RS256 signing algorithm". I can get the JWT from Xero. I know my "client secret" (string).

How do put it together to setSigningKey to verify the response for RS256? using Java. Thanks

Upvotes: 2

Views: 942

Answers (2)

Tim Richardson
Tim Richardson

Reputation: 7231

Thanks for asking this question. I came to this as a complete beginner and there is quite a learning curve. Because I am proxying the Xero signin so I can support multiple domains with one app, I needed to handle the oauth2 stuff manually. There are hardly any questions on this and it was driving me a bit crazy, so I have added a python answer in case it helps others.

In python3, this is how it can be done:

    # using pip install pyjwt[crypto]
    import jwt
    ...
         def decode_id_token(self,id_token):
             #a method in a class I have, self.client_id is from the Xero app
             #decoded_without_verification = jwt.decode(id_token,options={"verify_signature":False})

             discovery_url = "https://identity.xero.com/.well-known/openid-configuration/jwks"
             jwks_client = jwt.PyJWKClient(discovery_url)
             signing_key = jwks_client.get_signing_key_from_jwt(id_token)
             decoded = jwt.decode(id_token,signing_key.key,
algorithms=["RS256"],audience=self.client_id)
             return decoded

I don't know if there is some way to avoid hardcoding the discovery URL. I got it from this Xero discussion: https://community.xero.com/developer/discussion/115505302

Upvotes: 2

SerKnight
SerKnight

Reputation: 2642

your goal is to just see the data in the id_token correct?

If your goal is to validate the legitimacy of the JWT i'd recommend using a library to handle that security portion of validation https://openid.net/developers/certified/

However, if what your looking for is just the data contained within (email, first name, last name) you can simply decode the JWT with this lib. Or checkout the decode function to roll your own (it will programmatically lookup hashing algo and decode it for you)

https://github.com/auth0/java-jwt#decode-a-token

Upvotes: 0

Related Questions