Month: February 2016

WSO2 App Manager -Extract JWT token from wire log

App Manager provides SSO based on SAML for web apps published through it.So developers no need to worry about handling authentication in their web apps. They can develop unsecured web app and simply secure it via App Manager.

When a user try to access the unsecured web app though app manager(gateway component), authentication will be checked at gateway. If user is authenticated successfully he/she will be allowed to access the unsecured web app through gateway.

In some cases , unsecured web app may need the information of authenticated user to provide data/details related authenticated user.In such scenarios gateway should send the authenticated user information securely to the back end. Gateway is capable to send authenticated user’s information to back end app using JWT[1].  Configuring App Manager for JWT support can be found here[2].

In this post I am going to discuss on how to

1. Extract the encoded JWT token which is sent to back end web app by App Manager gateway.

2. Decode and verify the signature of the extracted token.

1. Extract the encoded JWT token

By default encoded JWT token is attached to “X-JWT-Assertion” http header. You can change the header where JWT token should be attached by configuring
<SecurityContextHeader/>  element in app-manger.xml[2].

By enabling the wire log in gateway ,  can find all the messages coming in to gateway and going out from gateway. So encoded JWT token can be extracted from the messages which going out from gateway to back end application.

1. Enable wire log
a. Open 
open log4j.properties file from <APPM_HOME>/repository/config
b. Un-comment the following entry.
log4j.logger.org.apache.synapse.transport.http.wire=DEBUG

2. Invoke the web app through gateway

3. Extract the message with http header X-JWT-Assertion
e.g

[2016-02-22 11:19:50,709] DEBUG – wire << “X-JWT-Assertion: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5rSkdPRVV4TXpaRlFqTTJSRFJCTlRaRlFUQTFRemRCUlRSQ09VRTBOVUkyTTBKR09UYzFSQT09In0=.eyJpc3MiOiJ3c28yLm9yZy9wcm9kdWN0cy9hcHBtIiwiZXhwIjoxNDU2MTIwOTE0NDM2LCJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL3JvbGUiOiJJbnRlcm5hbC9hcHAxLXNpdGUtMSxJbnRlcm5hbC9hcHAxLXdlYi0xLEludGVybmFsL3B1Ymxpc2hlcixJbnRlcm5hbC9qd3QtMSxJbnRlcm5hbC9QbGFuWW91clRyaXBfYWRtaW4tMS4wLjAsSW50ZXJuYWwvYW5vbjEtc2l0ZS0xLEludGVybmFsL2NyZWF0b3IsYWRtaW4sSW50ZXJuYWwvcm9sZS13ZWJhcHAtMSxJbnRlcm5hbC9zdWJzY3JpYmVyLEludGVybmFsL3N0b3JlLWFkbWluLEludGVybmFsL2V2ZXJ5b25lLEludGVybmFsL2Fub24xLXdlYmFwcC0xIn0=.D17S22rLu+jjqEXrcqK9CnZuUGrIOVT7zPoUIq+AsnQTSqyUsvsR7CSvLK23w5hNrRapTgRdoCem2OxMLd3eLXZQN1mnMI4rzh+yYst8WhssPYC+RgedXf/J79PWTitg1ZJf/dogwUTx81YB7/gXlh8Tp34qf0djxVcwbpL/THA=[\r][\n]”

4. Extract the encoded JWT token(which is in bold text) from above message
Encoded token
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5rSkdPRVV4TXpaRlFqTTJSRFJCTlRaRlFUQTFRemRCUlRSQ09VRTBOVUkyTTBKR09UYzFSQT09In0=.eyJpc3MiOiJ3c28yLm9yZy9wcm9kdWN0cy9hcHBtIiwiZXhwIjoxNDU2MTIwOTE0NDM2LCJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL3JvbGUiOiJJbnRlcm5hbC9hcHAxLXNpdGUtMSxJbnRlcm5hbC9hcHAxLXdlYi0xLEludGVybmFsL3B1Ymxpc2hlcixJbnRlcm5hbC9qd3QtMSxJbnRlcm5hbC9QbGFuWW91clRyaXBfYWRtaW4tMS4wLjAsSW50ZXJuYWwvYW5vbjEtc2l0ZS0xLEludGVybmFsL2NyZWF0b3IsYWRtaW4sSW50ZXJuYWwvcm9sZS13ZWJhcHAtMSxJbnRlcm5hbC9zdWJzY3JpYmVyLEludGVybmFsL3N0b3JlLWFkbWluLEludGVybmFsL2V2ZXJ5b25lLEludGVybmFsL2Fub24xLXdlYmFwcC0xIn0=.D17S22rLu+jjqEXrcqK9CnZuUGrIOVT7zPoUIq+AsnQTSqyUsvsR7CSvLK23w5hNrRapTgRdoCem2OxMLd3eLXZQN1mnMI4rzh+yYst8WhssPYC+RgedXf/J79PWTitg1ZJf/dogwUTx81YB7/gXlh8Tp34qf0djxVcwbpL/THA=

2. Decode and verify the signature of the extracted token
Here we are not going to focus on how to decode the token in detail. Instead we are going to user the jwt.io to decode the token and and verify the signature.

1. Copy the extracted token and paste to jwt.io debugger tool.
It will decode the token and display the header and payload of the token.but as you can see in the image signature is not verified.

jwt-io-decode-no-sig
2. Verify the signature.

By default app manager(gateway) sign the jwt token with RS256 algorithm. This information should be available in the jwt token header(“alg”: “RS256”,) .  You can find more on signature configuration here[2].

To verify the signature in jwt.io for RS256, we need to provided the certificate of gateway .

This is the default public key of carbon server.

—–BEGIN CERTIFICATE—–
MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoM
BFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAy
MTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzO
M4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe
0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXn
RS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcN
AQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTm
xbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogR
Kv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=
—–END CERTIFICATE—–

Copy and paste the above key  to text box which require public key in jwt.io debugger. Now as you can see in the image signature is verified
jwt-io-signature-verified

1. https://docs.wso2.com/display/APPM100/Securing+Web+Applications+Using+JWT
2. https://docs.wso2.com/display/APPM100/Passing+End+User+Attributes+to+the+Backend+Using+JWT

Advertisements