Reputation: 1
Signature JWS verification the signatures are provided in a JWKS
I'm having trouble verifying the webhook signature.
The authenticity and integrity of the webhook event can be verified by checking the signature provided in the header: x-xyz-jws.
This signature is provided as JSON web signature (JWS) using the body as the unencoded payload as described in https://www.rfc-editor.org/rfc/rfc7797.
The public keys used to verify the signatures are provided in a JWKS (JSON web key set).
To verify the signature of webhook payload the following steps need to be performed:
- When the request is received, convert the http json body to canonicalized form: https://www.rfc-editor.org/rfc/rfc8785.
- Select the correct key from the JWKS matching the key id from the x-xyz-jws header.
- Use the x-xyz-jws header and canonicalized body to verify the signature with the selected key.
Considering the following information
x-xyz-jws
eyJhbGciOiJFUzI1NiIsImtpZCI6IjEiLCJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdfQ..DF7F6zQzpe7ErWBd2-sG1QWS_pfRWO2Yo1iNUT1XW4CgUUjmK82K6Tk0HPz5x4JidvOW4LvibQMORH-56kg7Yg
JWKS
{ "keys": [ { "kty": "EC", "use": "sig", "crv": "P-256", "kid": "1", "x": "qkx4od6mtrz5xbSL8WgyODkFaP6CJcskigWpYbuP024", "y": "T9ul87OtlHYZAfXw8b36VRNIxnRzgNzBgJaR8dZfjbE", "alg": "ES256" } ] }
Body (Raw JSON)
{..}
How do I validate signature using PHP?
Thank you in advance for your help.
Upvotes: 0
Views: 34
Answers (0)
Related Questions
- What are the differences in die() and exit() in PHP?
- JWT/OAuth token signature verification failed
- PHP : verify JWS with JWK (x5c)
- Encoding PHP POST response's JSON body into HMAC SHA256, and then into Base64
- How to generate a signature by hashing the webhook request body?
- PHP - Setup Webhook Receiver with signature verification