I've been struggling to sign the jwt and I'm not familiar with the ruby file provided by apple on WWDC.. the code reads
require "base64"
require "jwt"
ISSUER_ID = "your-ID"
KEY_ID = "your-KeyID"
private_key = OpenSSL::PKey.read(File.read())
token = JWT.encode(
{
iss: ISSUER_ID,
exp: Time.now.to_i + 20 * 60,
aud: "appstoreconnect-v1"
},
private_key,
"ES256",
header_fields={
kid: KEY_ID }
)
puts token
the code keeps giving me this error when I run it on terminal.
enter image description here
my goal is simple, I just want to return some data from the GET api but am struggling with the 401 error on postman.
You have a syntax error in your code according to the screenshot you posted.
There's also what appears to be an error or misconfiguration in your code sample.
The gem most frequently used to encode/decode JWTs in ruby is here; this is the gem you're using in your example (via require "jwt") There are a number of examples on that page you can reference, but if you look thru the README you'll note they mention you can only use a kid with RSA and you're not using RSA in your example.
Try this:
token = JWT.encode(
{
iss: ISSUER_ID,
exp: Time.now.to_i + 20 * 60,
aud: "appstoreconnect-v1"
},
private_key,
"ES256"
)
Here's a link to using a JWK with the kid and the RSA algorithm.
Search for ecdsa_key on that same page for examples with ES256 (you'll find the one I posted above).
Seeing the original example from the WWDC docs might help provide additional context for the correct configuration but I'm not sure where to find that document. If it's public and you can link to it I can follow up.
Related
I am playing around with DEX and openldap. When I get a token back in my browser and put it into JWT debugger with the public key i generated, it doesn't verify the signature. I am trying to step through the code of DEX, but the debugging tools are not really working on my computer. I have resorted to log statements. I can't really find where I can observe the signing of the token to see if the program is using the keys i provided or not. Which function actually signs the token and how can I observe what key it uses to sign?
The key can be read from the DEX "keys" endpoint which can be obtained from:
http://your.dex.com/.well-known/openid-configuration
Typically, it would be something like:
http://your.dex.co/keys
After that, the public keys can be extracted using the following program:
https://play.golang.org/p/wVusucNGDI
One of those keys will be able to validate the token:
from jose import jwt
key = '''-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArT9AtIlC8MxhLYhz8ODH
...
+QIDAQAB
-----END PUBLIC KEY-----'''
encoded = 'eyJh...ocw'
audience = ''
if audience == "":
opts = {"verify_aud": False}
else:
opts = {}
opts['verify_at_hash'] = False
decoded = jwt.decode(encoded, key, audience=audience, options=opts)
print(decoded)
I'm attempting to port the GitHub Apps sample starter code from Ruby to Python, but I'm running into trouble whilst generating the required JWT. The Ruby script looks like this, and works fine:
require 'openssl'
require 'jwt' # https://rubygems.org/gems/jwt
private_pem = File.read(YOUR_PATH_TO_PEM)
private_key = OpenSSL::PKey::RSA.new(private_pem)
payload = {
iat: Time.now.to_i,
exp: Time.now.to_i + (10 * 60),
iss: GITHUB_APP_IDENTIFIER
}
jwt = JWT.encode(payload, private_key, "RS256")
puts jwt
My Python script is as follows and produces the A JSON web token could not be decoded error when used against the GitHub API:
import os
import time
import jwt
APP_IDENTIFIER = os.environ["GITHUB_APP_IDENTIFIER"]
with open('./PRIVATE_KEY.pem', 'r') as f:
PRIVATE_KEY = f.read()
payload = {"iat": int(time.time()),
"exp": int(time.time()) + (10*60),
"iss": APP_IDENTIFIER}
print(jwt.encode(payload, PRIVATE_KEY, algorithm='RS256'))
When I tried printing the private keys from both scripts, I found that the Ruby version had an extra newline character. I tried adding this to the private key in the Python script, but it didn't change the output.
My best guess is that the difference is something to do with the OpenSSL::PKey::RSA.new call, but I'm not sure what that does to the key.
jwt.encode() will return you bytes in Python 3 which probably ends up having str() called on it somewhere in the sending pipeline. Calling str() on bytes objects in Python 3 can result in potentially surprising behaviour:
>>> a = b'hello'
>>> str(a)
"b'hello'"
The correct way to turn bytes into a string in Python 3 is to use:
>>> a.decode('utf-8')
'hello'
I added the call to decode on the end of my jwt.encode line and the API suddenly had no problems decoding the JWT.
I am having trouble using the FedEx API, I have read through the documentation pertaining to tracking packages. I have gotten all of the numbers I need to fill into the URL (Test tracking number, Account Number, Account Key, Meter Number, User Name and password).
I was given the URL to use from FedEx, "The production server URL is “https://ws.fedex.com:443/web-services”, however, I am also told to replace the credentials with my actual information (Test tracking number, Account Number, Account Key, Meter Number, User Name and password).
I found this code on another StackOverflow post, and I saw that there was a user who had commented that this way of accessing the FedEx xml was outdated. Anyway I included the code posted by Harshal_m_joshi and edited by houbysoft here (original post Tracking API for Fedex and UPS).
xml_req =
"<TrackRequest xmlns='http://fedex.com/ws/track/v3'><WebAuthenticationDetail><UserCredential><Key>YOUR_ACC_KEY</Key>
<Password>YOUR_ACC_PASSWORD</Password></UserCredential></WebAuthenticationDetail><ClientDetail>
<AccountNumber>YOUR_ACC_NUMBER</AccountNumber><MeterNumber>YOUR_ACC_METER_NUMBER</MeterNumber></ClientDetail>
<TransactionDetail><CustomerTransactionId>ActiveShipping</CustomerTransactionId></TransactionDetail>
<Version><ServiceId>trck</ServiceId><Major>3</Major><Intermediate>0</Intermediate><Minor>0</Minor></Version>
<PackageIdentifier><Value>#{track_no}</Value><Type>TRACKING_NUMBER_OR_DOORTAG</Type></PackageIdentifier>
<IncludeDetailedScans>1</IncludeDetailedScans></TrackRequest>"
path = "https://gatewaybeta.fedex.com:443/xml"
#this url connects to the test server of fedex
# for live server url is:"https://gateway.fedex.com:443/xml"
url = URI.parse(path)
http = Net::HTTP.new(url.host,url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
response = http.post(url.path, xml_req)
response_body = response.body
res = response_body.gsub(/<(\/)?.*?\:(.*?)>/, '<\1\2>')
hash = Hash.from_xml(res.to_s)
and that's it you will get response in hash variable, I converted xml response in to Hash because we can easily use Hash object at our view to display response data.
I was wondering if anyone knew of the new way to do this, or could at least point me in the right direction. I am fairly new to API's only having worked with USPS and WUnderground, which were both easy as pi ;) Any help would be greatly appreciated.
You are going to POST the data to https://ws.fedex.com:443/web-services
Your POST data should look like this...
<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns=\"http://fedex.com/ws/track/v5\">
<soapenv:Header/>
<soapenv:Body>
<TrackRequest xmlns:ns=\"http://fedex.com/ws/track/v5\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">
<WebAuthenticationDetail>
<UserCredential>
<Key>" .$CFG["fedex_key"] ."</Key>
<Password>" .$CFG["fedex_password"] ."</Password>
</UserCredential>
</WebAuthenticationDetail>
<ClientDetail>
<AccountNumber>" . $CFG["fedex_acct"] ."</AccountNumber>
<MeterNumber>" . $CFG["fedex_meter"] ."</MeterNumber>
" .$tracknum ."
trck
5
0
0
" .$tracknum ."
TRACKING_NUMBER_OR_DOORTAG
true
I have been trying for days to pull down activity data from the Withings API using the OAuth Ruby gem. Regardless of what method I try I consistently get back a 503 error response (not enough params) even though I copied the example URI from the documentation, having of course swapped out the userid. Has anybody had any luck with this in the past. I hope it is just something stupid I am doing.
class Withings
API_KEY = 'REMOVED'
API_SECRET = 'REMOVED'
CONFIGURATION = { site: 'https://oauth.withings.com', request_token_path: '/account/request_token',
access_token_path: '/account/access_token', authorize_path: '/account/authorize' }
before do
#consumer = OAuth::Consumer.new API_KEY, API_SECRET, CONFIGURATION
#base_url ||= "#{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['SCRIPT_NAME']}"
end
get '/' do
#request_token = #consumer.get_request_token oauth_callback: "#{#base_url}/access_token"
session[:token] = #request_token.token
session[:secret] = #request_token.secret
redirect #request_token.authorize_url
end
get '/access_token' do
#request_token = OAuth::RequestToken.new #consumer, session[:token], session[:secret]
#access_token = #request_token.get_access_token oauth_verifier: params[:oauth_verifier]
session[:token] = #access_token.token
session[:secret] = #access_token.secret
session[:userid] = params[:userid]
redirect "#{#base_url}/activity"
end
get '/activity' do
#access_token = OAuth::AccessToken.new #consumer, session[:token], session[:secret]
response = #access_token.get("http://wbsapi.withings.net/v2/measure?action=getactivity&userid=#{session[:userid]}&startdateymd=2014-01-01&enddateymd=2014-05-09")
JSON.parse(response.body)
end
end
For other API endpoints I get an error response of 247 - The userid provided is absent, or incorrect. This is really frustrating. Thanks
So I figured out the answer after copious amount of Googleing and grasping a better understanding of both the Withings API and the OAuth library I was using. Basically Withings uses query strings to pass in API parameters. I though I was going about passing these parameters correctly when I was making API calls, but apparently I needed to explicitly set the OAuth library to use the query string scheme, like so
http_method: :get, scheme: :query_string
This is appended to my OAuth consumer configuration and all worked fine immediately.
Is there any library in Ruby that generates the Signature, 'X-PAYPAL-AUTHORIZATION' header that is required to make calls on behalf of the account holder who has authorized us through the paypal Permissions API.
I am done with the permissions flow and get the required access token, tokenSecret. I feel I am generating the signature incorrectly as all my calls with the the generated 'X-PAYPAL-AUTHORIZATION' fail. They give the following errors:
For NVP call I get:
You do not have permissions to make this API call
And for the GetBasicPersonalData call I get:
Authentication failed. API credentials are incorrect.
Has anyone gone through this in Ruby? What is best way to generate signature. Paypal has just provided some SDK in Paypal, Java, but not the algorithm to generate signature.
Thanks,
Nilesh
Take a look at the PayPal Permissions gem.
https://github.com/moshbit/paypal_permissions
Specifically lib/paypal_permissions/x_pp_authorization.rb
require 'cgi'
require 'openssl'
require 'base64'
class Hash
def to_paypal_permissions_query
collect do |key, value|
"#{key}=#{value}"
end.sort * '&'
end
end
module ActiveMerchant #:nodoc:
module Billing #:nodoc:
module XPPAuthorization
public
def x_pp_authorization_header url, api_user_id, api_password, access_token, access_token_verifier
timestamp = Time.now.to_i.to_s
signature = x_pp_authorization_signature url, api_user_id, api_password, timestamp, access_token, access_token_verifier
{ 'X-PAYPAL-AUTHORIZATION' => "token=#{access_token},signature=#{signature},timestamp=#{timestamp}" }
end
public
def x_pp_authorization_signature url, api_user_id, api_password, timestamp, access_token, access_token_verifier
# no query params, but if there were, this is where they'd go
query_params = {}
key = [
paypal_encode(api_password),
paypal_encode(access_token_verifier),
].join("&")
params = query_params.dup.merge({
"oauth_consumer_key" => api_user_id,
"oauth_version" => "1.0",
"oauth_signature_method" => "HMAC-SHA1",
"oauth_token" => access_token,
"oauth_timestamp" => timestamp,
})
sorted_query_string = params.to_paypal_permissions_query
base = [
"POST",
paypal_encode(url),
paypal_encode(sorted_query_string)
].join("&")
base = base.gsub /%([0-9A-F])([0-9A-F])/ do
"%#{$1.downcase}#{$2.downcase}" # hack to match PayPal Java SDK bit for bit
end
digest = OpenSSL::HMAC.digest('sha1', key, base)
Base64.encode64(digest).chomp
end
# The PayPalURLEncoder java class percent encodes everything other than 'a-zA-Z0-9 _'.
# Then it converts ' ' to '+'.
# Ruby's CGI.encode takes care of the ' ' and '*' to satisfy PayPal
# (but beware, URI.encode percent encodes spaces, and does nothing with '*').
# Finally, CGI.encode does not encode '.-', which we need to do here.
def paypal_encode str
s = str.dup
CGI.escape(s).gsub('.', '%2E').gsub('-', '%2D')
end
end
end
end
Sample parameters:
url = 'https://svcs.sandbox.paypal.com/Permissions/GetBasicPersonalData'
api_user_id = 'caller_1234567890_biz_api1.yourdomain.com'
api_password = '1234567890'
access_token = 'YJGjMOmTUqVPlKOd1234567890-jdQV3eWCOLuCQOyDK1234567890'
access_token_verifier = 'PgUjnwsMhuuUuZlPU1234567890'
The X-PAYPAL-AUTHORIZATION header [is] generated with URL "https://svcs.paypal.com/Permissions/GetBasicPersonalData". (see page 23, and chapter 7, at the link)
NVP stating "You do not have permissions to make this API call" means your API credentials are correct, just that your account does not have permission for the particular API you are trying to call. Something between the two calls you are submitting is not using the same API credentials.
For NVP call I get:
What NVP call?
TransactionSearch (see comments below)
Also, if you haven't already done so, you will want to use the sandbox APP-ID for testing in the sandbox, and you will need to apply for an app-id with Developer Technical Services (DTS) at PayPal to get an App-ID for live.
EDIT:
To use the TransactionSearch API, all you should be submitting is below. You do not need to specify any extra headers.
USER=xxxxxxxxxxxxxxxxxx
PWD=xxxxxxxxxxxxxxxxxx
SIGNATURE=xxxxxxxxxxxxxxxxxx
METHOD=TransactionSearch
VERSION=86.0
STARTDATE=2009-10-11T00:00:00Z
TRANSACTIONID=1234567890
//And for submitting API calls on bob's behalf, if his PayPal email was bob#bob.com:
SUBJECT=bob#bob.com