Verify JWT Token - Registered OAuth Clients | Community
Skip to main content
J
jarvis_cl_lukow
Level 2
August 18, 2021
Solved

Verify JWT Token - Registered OAuth Clients

  • August 18, 2021
  • 1 reply
  • 5320 views

I am looking for documentation on the correct approach/pattern for JWT OAuth validation when using the Registered OAuth Clients in AEM. I have searched the internet and I have not found any good examples of how to validate the JWT OAuth Registered Client token.

 

I understand the flow from a 3rd Party OAuth Authentication server (ie: FaceBook, Google), but I am looking for the pattern when using the OOTB Registered OAuth Clients in AEM (/libs/granite/oauth/content/clients.html).

 

Can anyone please provide me with some direction or an approved validation pattern.

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by AlbinIs1

    @albinis1 Turns out I was overthinking the solution,  but to be fair there is so little documentation on this pattern.  Using the ScopeWithPrivileges does work as expected...  with one issue.  AEM returns a 404 when the token is not valid.  Can this be modified to return a 404 is the resource is not found, and a 401 if the token is not valid?


    @jarvis_cl_lukow - I never tried this but should be possible with some effort - Extend the OAuth2ServerAuthenticationHandler

     

    The OAuth2ServerAuthenticationHandler is responsibe for validating the token and sending the AuthenticationInfo object  on sucessfull validation/login(null response incase of validation/login failure) - The class is available in "Adobe Granite OAuth Server(com.adobe.granite.oauth.server)" bundle

     

    You can create a custom AuthenticationHandler(extend - adjust the ranking) and respond with Auth Fail status code from extractCredentials method for token validation errors - currently extractCredentials respond with null for invalid tokens

     

    e.g 

     

    if (validAccessToken) {

     

    .......

     

    }else

    {

    request.setAttribute("j_reason", "invalid_token");
    return AuthenticationInfo.FAIL_AUTH;

    }

     

    Regards

    Albin I

    www.albinsblog.com

    1 reply

    A
    Community Advisor
    AlbinIs1Community Advisor
    Community Advisor
    August 19, 2021

    Please check if this URL helps - https://medium.com/tech-learnings/how-to-manage-the-protected-aem-resources-through-oauth-2-0-851ce4c7a5ef

     

    Regards

    Albin I

      J
      jarvis_cl_lukowAuthor
      Level 2
      August 19, 2021

      Thanks.  I have read this.  But, I'll have a read though it again... this time in more detail.
      Thanks again

        A
        Community Advisor
        AlbinIs1Community Advisor
        Community Advisor
        September 7, 2021

        Regardless of including the "sub" attribute in the JWT Bearer token, the generated access token always changes the sub to admin. 

         

        Since I am following the server-server pattern, I am using the urn:ietf:params:oauth:grant-type:jwt-bearer grant type.  

         

        In the example you referenced, if you decode the generated access token for the server-server flow I also see the sub was converted to admin:

        eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJnNmIzajl2aTk4bDM5ZmFvNzFpdmc0aDlraC1xM2dydGdoaCIsImlzcyI6IkFkb2JlIEdyYW5pdGUiLCJzdWIiOiJhZG1pbiIsImV4cCI6MTU5NzI3NzYwNSwiaWF0IjoxNTk3Mjc0MDA1LCJzY29wZSI6ImRhbV9yZWFkIiwiY3R5IjoiYXQifQ.g-AXNazPxnAP1VbB8Ym1NB_UFW2MuCmYvsPWuZY-jfQ
        {"alg":"HS256","typ":"JWT"}{"aud":"g6b3j9vi98l39fao71ivg4h9kh-q3grtghh","iss":"Adobe Granite","sub":"admin","exp":1597277605,"iat":1597274005,"scope":"dam_read","cty":"at"}

        Maybe this doesn't matter... but I am confused what user a session is actually for if successful.


        No this is the token referred in my blog for server to server OAuth(JWT)

         

        eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjQ1MDIvb2F1dGgvdG9rZW4iLCJpc3MiOiJnNmIzajl2aTk4bDM5ZmFvNzFpdmc0aDlraC1xM2dydGdoaCIsInN1YiI6ImFsYmlub2F1dGgiLCJleHAiOjE1OTcyNzM4OTA5NDA2LCJpYXQiOjE1OTcyNzM4MDk0MDYsInNjb3BlIjoiZGFtX3JlYWQiLCJjdHkiOiJjb2RlIn0.EmXLGX9RK-i4OPh-kA8YSTxi8PSJxVtk7uWsYLcMqXY4Z-ZI6pJK_1uLZdJbFxurs3tLqkg300w6w3M99PTrHZg54J2s9SafZyB7psAh6K8ycEvJDHsUDD1ovZvMfQ__tqhMC8yzGFlODLWaAx095fVHO-ce4pewxdzwv3TQK593xwjtwL_hPRqLkjy6Kvt6Cu0TEJd6YFoMNiftca9KxIMEG9fMOpNkHe4rIo_oSqdmiDzbqBZ-0P_3j4gDO_AYnULF9h42NHOrgAxOucfwZbfxgHc8UODUiLw3f1Mw9WGK9POzdFPeruHcknjRf4J60BwestDbFjfHb_8owXAJwA

         

        The sub value is specified as albinoauth when i try to parse the token throughhttps://jwt.io/

         

         

         

        Regards

        Albin I

        www.albinsblog.com

         

         

         

         

          Terms & ConditionsAccessibility statement

          Loading footer...