hmac

1 Topic

Saml token convert to jwt
Hello, I create a iRule for convert saml token to JWT (json web token). It works well but I get a signatur error. I try many option and formats. But nothing works. I'm shure you can help me easily. I have creat a working access Profile with saml. Bigip is SP and an external IdP. Here my iRule. when ACCESS_ACL_ALLOWED { set hamacsha256 secret set secret_key "secret" get data from saml Session (APM->Manage Sessions-> Variables -> View) set user [ACCESS::session data get session.saml.last.nameIDValue] set sub [ACCESS::session data get session.saml.last.attr.name./EmployeeID] set nbf [ACCESS::session data get session.saml.last.validityNotBefore] set exp [ACCESS::session data get session.saml.last.validityNotOnOrAfter] set email [ACCESS::session data get session.saml.last.attr.name./identity/claims/emailaddress] set surname [ACCESS::session data get session.saml./Common/xyz_auth_ag.attr.name./identity/claims/surname] set givenname [ACCESS::session data get session.saml./Common/xyz_auth_ag.attr.name./identity/claims/givenname] set aud [ACCESS::session data get session.saml.last.assertionIssuer] set gpid [ACCESS::session data get session.saml.last.attr.name./GPID] Name of the cookie set cookie_name "xyz-JWT" set cookie header set cookie_header "[b64encode "{\r\n \"alg\": \"HS256\", \r\n \"typ\": \"JWT\"\r\n}"]" set cookie payload set cookie_payload "[b64encode "{\r\n \"user\": \"$user\",\r\n \"sub\": \"$sub\",\r\n \"nbf\": \"$nbf\",\r\n \"exp\": \"$exp\",\r\n \"email\": \"$email\",\r\n \"surname\": \"$surname\",\r\n \"givenname\": \"$givenname\",\r\n \"aud\": \"$aud\",\r\n \"gpid\": \"$gpid\"\r\n}"]" set cookie data for signatur set cookie_data [concat "[b64encode [URI::encode $cookie_header]].[b64encode [URI::encode $cookie_payload]]"] test some other version set cookie_data "[URI::encode [b64encode $cookie_header]]\".\"[URI::encode [b64encode $cookie_payload]]" set cookie_data "[URI::encode $cookie_header]\".\"[URI::encode $cookie_payload]]" set cookie_data $cookie_header"."$cookie_payload log local0. "cookie_data $cookie_data" create signatur set cookie_sig "[CRYPTO::sign -alg hmac-sha256 -key $secret_key $cookie_data]" convert signatur in some version set cookie_sig_b64 "[b64encode $cookie_sig]" set cookie_sig_b64_url "[URI::encode $cookie_sig_b64]" set cookie_sig_url_b64 "[b64encode $cookie_sig_url]" log local0. "sig_b64= $cookie_sig_b64" log local0. "sig_b64_url= $cookie_sig_b64_url" log local0. "sig_url_b64= $cookie_sig_url_b64" verify signatur if { [CRYPTO::verify -alg hmac-sha256 -key $secret_key -signature $cookie_sig $cookie_data] } { log local0. "Data verified" } create full JWT set cookie "$cookie_header.$cookie_payload.$cookie_sig_url_b64" HTTP::cookie insert name $cookie_name value $cookie log local0. "$cookie_name $cookie" } send to client when HTTP_RESPONSE { HTTP::cookie insert name $cookie_name value $cookie } If I verify the cookie with jwt.io (webseite). I get alway a signatur error. All other works. The json notation for signatur is HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) secret base64 encoded I think I have a mistake in format for cookie_data. In the version you can see some of my tests. How can help me? Cheers, NetSnoopy
NetSnoopy
Jun 03, 2023 Place Technical Forum
777Views
0likes
2Comments