Question

3
Replies
817
Views
Close popover
Kensho Tsuchihashi (TSUCK)
PEGA
Project Delivery Leader
Pegasystems Inc.
JP
View Profile
TSUCK Member since 2010 126 posts
PEGA
Posted: June 1, 2018
Last activity: February 11, 2019
Closed

Need to use HS256 algorithm for sign with Jason Web Token (JWT)

Hi,

We need to integrate with external system from Pega 7.3.1 using Jason Web Token (JWT). In Pega Token Profile (DATA-ADMIN-SECURITY-TOKEN) instance, we can only select asymmetric algorithm attached below:

Customer's requirement is HS256 - that is one of a symmetric algorithm and that is a must. Is it possible to easily make it available? If it is not provided out-of-the-box, I need to know how we can custom build. Please let me know.

Thanks,

Data Integration Security
Close popover
Moderation Team has archived post
Posted: 2 years ago
Close popover
Arun Kumar Mahanty (Arun_Mahanty)
PEGA
Principal Technical Solutions Engineer
Pegasystems Inc.
IN
View Profile

You may try writing a custom java code in pyInvokeRest connector and  implement the HS256 API’s from  https://connect2id.com/products/nimbus-jose-jwt .


JWSObject jwsObject = new JWSObject(new JWSHeader(JWSAlgorithm.HS256),


                                    new Payload("Hello, world!"));


 


// We need a 256-bit key for HS256 which must be pre-shared


byte[] sharedKey = new byte[32];


new SecureRandom().nextBytes(sharedKey);


 


// Apply the HMAC to the JWS object


jwsObject.sign(new MACSigner(sharedKey));


 


// Output to URL-safe format


jwsObject.serialize();


 


Thanks,


Arun

Posted: 1 year ago
Close popover
Wilhelm Mauch (WilhelmM)
unymira USU GmbH
Senior Consultant
unymira USU GmbH
DE
View Profile

I also had the same problem as a external service required a HMac signed token. It's already time ago whe this quetion has been raised, but for the sec of somebody needs a complete solution.


This is a complete code which you can copy into a function rule and is should work immediately.


You need to include the following packages in your library which you will use for the fuction rule:


java.util.*


com.nimbusds.jwt.*


com.nimbusds.jose.*


com.nimbusds.jose.crypto.*


/* Code Block START*/


JWSObject signedJWT = null;

try{


  // Create the JSON JWT Header

  JWSHeader header = new JWSHeader(JWSAlgorithm.HS256);

  

  // add expiration time (in milliseconds)

  long expL =  new Date().getTime();

  expL = expL+90000;


  // Create the JSON JWT Payload

  JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()

    .subject("/your Subject")

    .expirationTime(new Date(expL))

    .issueTime(new Date())

    .issuer("yourIssuer")

    .jwtID(key)

    .claim("uid", "some claims you want") // append as much as you want before calling build(), like .claim("","").claim("","") as the return is always the builder object.

    .build();


  signedJWT = new SignedJWT( header, claimsSet );


  // Sign with the HS256 key passed as the string parameter

  signedJWT.sign( new MACSigner(key.getBytes()) );

  

}

catch ( Exception e )

{

  oLog.infoForced("CustomUtils generate Token with HMac: " + e.getMessage() );

  return "";

}



return signedJWT.serialize();


/* Code Block END*/

Posted: 1 year ago
Close popover
Anandh Palanisamy (Anandh Palanisamy)
Ford Motor Company

Ford Motor Company
US
View Profile

Hi Wilhelm,


We have some issue with OpenId connect rule for SSO, the current implementation(import metadata) will support RS256, but we need to pass HS256.


Do you know which function(OOTB) i need to put the above code to make SSO works?


Regards,


Anandh
Share this page Share via LinkedIn Copying...
Copied!