Sunday, February 28, 2021

RFC 7523 Demo

Summary

I'll be covering the usage of the RFC 7523 authorization grant type in this post.  I'll create a server-side implementation as a Google Cloud Function and a simple client in Node.js.

Architecture

The implementation consists of a Google Cloud Function that is triggered on an HTTP POST request.  The request has a form-urlencoded body consisting of the grant_type parameter and an assertion with the JSON web token (JWT) - per the RFC.  The response is a JSON object consisting of the token type, bearer token, and the unencoded version of the original JWT received.  That last item isn't required, but I included it to aid in troubleshooting.


Server-side Snippet

As discussed, the server is implemented as a GCF.  For a Node implementation, that consists of an Express server.  The express-jwt middleware is used to implement the JWT handling.

  1. app.use(expressJwt({
  2.     secret: sharedKey,
  3.     issuer: issuer,
  4.     audience: audience,
  5.     algorithms: ['HS256', 'HS384', 'HS512'],    
  6.     requestProperty: 'token',
  7.     getToken: (req) => {
  8.         return req.body.assertion;
  9.     }
  10. }));
  11.  
  12. app.post('/rfc7523', (req, res) => {
  13.     if (req.token) {
  14.         console.log(`Received token: ${JSON.stringify(req.token)}`);
  15.         const alg = 'HS512'
  16.         const payload = { 
  17.             "iss": 'oauth issuer',
  18.             "sub": 'oauth authority',
  19.             "aud": 'm2mclient',
  20.             "exp": Math.round(Date.now()/1000 + 3) //3 second expiration
  21.         };
  22.         const accessToken = jwt.sign(payload, privateKey, {algorithm: alg});
  23.             
  24.         res.status(200)
  25.         .json({
  26.             token_type: 'bearer',
  27.             rec_token: req.token,
  28.             access_token: accessToken
  29.         });
  30.     }
  31.     else {
  32.         res.status(400).json({error: 'no token found'});
  33.     }
  34. });

Client-side Snippet


  1. (async () => {
  2.     const payload = { 
  3.         "iss": issuer,
  4.         "sub": subject,
  5.         "aud": audience,
  6.         "exp": Math.round(Date.now()/1000 + 3) //3 second expiration        
  7.     };
  8.     const alg = 'HS512'
  9.     const token = jwt.sign(payload, sharedKey, {algorithm: alg});
  10.     const authGrant = encodeURI('urn:ietf:params:oauth:grant-type:jwt-bearer');
  11.     const response = await fetch(url, {
  12.         method: 'POST',
  13.         headers: {'Content-Type': 'application/x-www-form-urlencoded'},
  14.         body: `grant_type=${authGrant}&assertion=${token}`
  15.     });
  16.     
  17.     const json = await response.json();
  18.     console.log(`Results: ${JSON.stringify(json, null, 4)}`);
  19. })();

Results


Results: {
...
    "access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJvYXV0aCBpc3 - abbreviated"
}

Source


Copyright ©1993-2024 Joey E Whelan, All rights reserved.

Posted by at