[squeak-dev] [ANN] ModifierKeysMorph & WebClientOAuth2 (Zinc-SSO port)

Ben Coman btc at openinworld.com
Sat Jun 13 18:25:55 UTC 2020

On Sun, 14 Jun 2020 at 01:40, Tim Johnson <digit at sonic.net> wrote:

> On Jun 11, 2020, at 6:39 PM, Levente Uzonyi <leves at caesar.elte.hu> wrote:
> It is useful for SSO.  But for automated workflows, where human
> intervention is undesired, there is another type of OAuth2 which may be
> called "server to server" or apparently "two-legged OAuth":
> https://developers.google.com/identity/protocols/oauth2/service-account
> I tried and failed to implement this last year.  Where I failed was in
> computing the JSON Web Signature (JWS).  I could generate JWTs
> successfully*, but JWSs for Google require "SHA256withRSA (also known as
> RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function)" which requires one
> very specific algorithm missing from SqueakSSL and which I simply could not
> engineer on my own at the time (or perhaps ever — I might just not be
> smart enough ;) ).  I was able to get as far as crafting the JSON in
> Squeak and then signing using Python's implementation of the algorithm and
> it would work.
> If we could get server-to-server OAuth2 using WebClient, that would also
> allow us to, say, connect to Google Drive directly from Squeak, or be a
> client of Google Cloud Platform / Compute Engine, etc.  I think that would
> be
> very cool.
> Sadly, I seem to recall this type of OAuth (and thus this algorithm) would
> also be necessary for GitHub/GitLab.
> The Cryptography package seems to have this stuff implemented, though I
> haven't verified the results. Here's how to use it:
> Let's say privateKey is an RSAPrivateKey with your private key (See class
> side methods and RSAPrivateKeyFileReader how to initialize it) and message
> is your serialized json to sign. Then
> privateKey v15SignMessageHash: (HashFunction newSHA256
> digestInfoAsn1DerEncodingFromMessage: message)
> should return the signature.
> Thank you Levente.  When I mentioned algorithms I was hoping you might
> respond.  :)
> I found my old JWT code from last year on GitHub:
> https://github.com/tcj/beaufort      (Oh no, it contains an old email
> address of mine in one of its tests...)
> I loaded Cryptography into an image so I could run my tests again, and
> noticed that the Cryptography package has seen a lot of work this year.
> Thanks for that.
> So:  the tests I wrote last year (with a small change) pass now.  This
> could be very good news and may be worth further investigation.  Thank you
> again!  I will update my tests (& remove my old email address...?) and
> upload a new version of this package.
> I am reminded that the issue I'd encountered last year was that HS256
> could work, but RS256 could not.  Now, unit tests are passing for both.
>  (My BfJWTRFCTest>>#testConversion is not passing so I'll need to look into
> that.)
> Here is the gist of my JWT signing code:
> BfJWT>>#signedWith: aKey
> | headerAndClaims |
> self secret: aKey.
> headerAndClaims := self headerAndClaims.
> ^ '{1}.{2}' format: { headerAndClaims . self signatureFrom:
> headerAndClaims }
> ... #signatureFrom: is implemented differently for HS256 versus RS256
> subclasses of BfJWT.  My RS256 encoding was like this:
> BfRS256 signatureFrom: aString
> | signedMessage hashed privateKey |
> privateKey := (Pkcs12PrivateKeyFileReader fromFile:
> 'timj-project-mar-2019-a94d67a8d0c8.p12') asPrivateKey.
> signedMessage := privateKey signMessage: aString.
> hashed := SHA256 new hashStream: signedMessage readStream.
> ^ hashed base64UrlEncoded
> A year ago, I could have described how & why it wasn't working... but that
> information has left my brain now.
> For what it's worth, Norbert Hartl's JSONWebToken also lacks support for
> this RS256 encoding format.
> https://github.com/noha/JSONWebToken/commit/4a4d20eaa6e84e2676a577f74bc6e24c1ead0047
> It seems to be a common issue around the internet that people find RS256
> very difficult.

Just to round out options (but note, this was using Pharo)...

A couple of months ago I needed JWT RS256 for Google OAuth.
Asking around I was advised that it was working in the following branch...

Although I didn't end up using that directly, but got JWT RS256 working as
part of...

cheers -ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20200614/7b5ea087/attachment.html>

More information about the Squeak-dev mailing list