Bearer Token Interpretation/Inspection

webMethods 10.5

Hi guys,

I have got a restv2 rest API which uses a Bearer (JWT) token to authenticate. The token which is passed is enriched with certain details which I want to use in my service.

I want to know if there is a way (direct flow service etc) to intercept the bearer token in my flow service and inspect its content to retrieve the desired values.

Any help in this regard would highly be appreciated. Thanks

@DT30 You should be able to access the authorization information at runtime from pub.flow:getTransportInfo service

transport/http/requestHdrs/Authorization

pub.string:tokenize - Tokenize and extract the part which you are looking for
pub.string:base64Decode - decode the part which you are looking for [ header or body or signature ]
pub.string:bytesToString - convert to decode byte date

Thank you so much Dinesh. It did work, however, I see my transport info has got basic auth details with Admin creds while I invoked the service using OAuth2.0 Auth.
Let me know what could I be doing not so right.

Hi Dinesh,

I got it working, but my token has got 2 parts, header and payload data. The services you provided are able to convert header portion to string while the payload data returns junk. Not sure if I need to use some other function in conjunction with the ones you shared?

Edit: sorry I just saw your earlier reply and going through it currently to see why my payload data and signatures are converting as junk

@Dhiraj_Talwar let me know are you passing unsigned JWT ? if so it will be only two part and you can confirm the same by try to decode your JWT at https://jwt.io/

let me know are you passing the valid JWT token

Hi Dinesh,

Its a valid 3 part JWT token with header, body and signature. I printed the token in my debug log and its 100% perfect after the tokenize service but somehow the bytetostring function is only able to decode the header portion and converting the rest to junk.

Thanks

Hi @DT30 In tokenize service you need to split your token into three parts with delimiter as ( dot ) and extract the JWT body part and convert the same to string for your use.

kindly refer the use of the tokenize service from documentation

1 Like

Would also recommend creating a service (in your common utility package or your equivalent of WmPublic that everyone seems to have for common helper services) using String.split() and using that instead of tokenize. The tokenize method has behaviors that may or may not be desirable depending on what is being done.

Split varies from tokenize in these ways:

  • Split does not collapse consecutive delimiters to a single field.
    For example, with input of “one|two||four” split will return
    “one”, “two”, “”, “four” whereas tokenize will return
    “one”, “two”, “four”.

  • Split supports using regex for the delimiter matching. Tokenize
    accepts a delimiter string in which each character in the string is
    treated as a delimiter. For example, with input of “foo and bar
    and baz” split will return “foo”, “bar”, “baz” whereas tokenize
    will return “foo”, “b”, “r”, “b”, “z”. This is because tokenize
    treats the delimiter string of " and" as a set
    [’ ', ‘a’, ‘n’, ‘d’], not as a string pattern to match.

Thanks a lot Dinesh. It did work.

Thanks Reamon. I will give it a shot too.

If you decide to move to 10.11 , please note that there are public services to generate and extract specific claims from a JWT which you could use after using pub.flow:getTransportInfo, you wouldn’t need to base64decode/ tokenize etc.

Refer pub.jwt folder in Built in services guide for more details.

-NP

1 Like

Thanks Nagaendra. We have got 10.11 in our lab env. Soon we will be upgrading our other envs too. Thanks again. I will keep in mind.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.