JWT decoder & verifier module/webhook feature

A built in module to decode and verify a JWT would open up so many development opportunities. I can decode a base64 encoded JWT but have not found a way to verify it using built in tools.

Ideally this could be built into the Webhook module, and set mappable value from the webhook module. The only requirement is that the token would need to be excluded from logging - and im not sure its possible for a mappable value to be excluded from logging today.

You can create custom webhooks via custom apps where you can add in whatever validation/verification you want.

As far as I can tell, I can generate a JWT but I see nothing obvious to consume a JWT.

The application I’m trying to integrate sends a JWT when there is an event, which I need to validate and then use the token for authorization for API calls I make in response to the event.

Yup, should definitely be possible. But it’s 100% event based? Meaning each API call you make is only on response to a single event?

The responses to events on that platform, yes. Each event on that platform sends a payload with values and a JWT, that JWT is tied to the triggering user on the platform so that any actions taken in response to it are performed as that user.

These events could also lead to API calls on other platforms, in which case the JWT doesnt matter - though the associated user does (simply as data in this case at least)

There are API calls triggered by events in other applications, which use a token obtained through OAuth2 to perform the action. I could use this token for all calls but the problem is the actions are not being performed by the originating user then.

Yes the JWT is encrypted.

1 Like

Do the docs specify the verify process? If you can link to them I can take a peak and recommend a possible route forward. I’ve only found a few things that custom apps couldn’t handle :smiley:

Its signed with HS256, just a normal JWT. I have the signing secret as parameter when setting up the connection of the custom app. And I was mistaken its not encrypted.

Sadly its proprietary application I can’t share documentation for (what there is in terms of the API). But I can manually verify the JWT outside Make easily enough. Just struggling how to verify it in Make. (I decode from base64 to ascii and get the token, i just want to verify the signature is correct).

Sorry I’m pretty newb to custom apps here, forgive me. Maybe I’m missing something not having custom IML enabled yet.

No worries. Customs apps have a steep learning curve and the docs are lacking. I was asking for the docs as I’m not super familiar with JWT, so wasn’t sure what processes you needed to follow for verifications.

Have you looked at the JWT docs? JWT - Make Apps

Yeah unfortunately the docs only cover generating a JWT (what the application is sending me), not consuming (which is where I need to verify the signature created by the method in the help you linked to). So other half of the process :slight_smile:

I should add i only have limited experience with this in general myself :frowning:

Hold on… i think its dawning to me that its the same thing on either side of the equation. My brain is hung up on encryption and its just a hash, which will be the same on either side as long as i have the key.

Sorry for the distraction, sometimes you just have to talk through it!

1 Like

Let me know how it shakes out :smiley: