How to decode an Azure Access Token in IRIS?

Question

Question

Utsavi Gajjar · May 10, 2021

Hello,

I am trying to find out if it is possible to decode the Azure access token in IRIS. Has anyone ever tried this before? I need to decode the token to extract the "Scope" details in order to verify the scope to make sure client is permitted to do the request they have done.

If you could point me to any information, that'd be great.

Thank you.

Utsavi

Product version: IRIS 2020.1

Discussion (7)0

Log in or sign up to continue

Dmitry Maslennikov · May 11, 2021

Yeah, sure, it's quite simple to do. JWT tokens contain three parts separated by a pointer sign.

Header, with the algorithm of the signature and the type of token
Payload, any data in JSON format
Signature needs to verify the token

All of those parts are encoded with Base64

  Set token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" 

  #; Extract parts of the token
  Set $ListBuild(header, payload, sign) = $ListFromString(token, ".")

  #; Decode and parse Header
  Set header = $System.Encryption.Base64Decode(header)
  Set header = {}.%FromJSON(header)
  Write !,"header"
  Write !,"alg = ",header.alg
  Write !,"typ = ",header.typ

  #; Decode and parse Payload
  Set payload = $System.Encryption.Base64Decode(payload)
  Set payload = {}.%FromJSON(payload)
  Write !!,"data"
  Write !,"name = ", payload.name 
  Write !,"iat = ", payload.iat

1 1

score 0 · Answer 1 · 2021-05-10T03:28:47-04:00

Do you mean the OAuth2 token?

If so, did you use the native OAuth2 support in Caché/IRIS?

This JWT Debugger may help to understand what's inside the token stored.

score 0 · Answer 2 · 2021-05-10T05:18:00-04:00

Hi Dmitry,

Thanks for your reply. Yes the OAuth2 token. I haven't setup anything for OAuth2 on IRIS end. In our case, the REST APIs we are building in IRIS are exposed to consumer apps via IAM and Azure. IAM takes care of the OAuth2 Authentication. Client Request then flows through to IRIS which is when I need to introspect the access token to read the "Scope".

I came across the following method, is that something I can utlise?

set sc=##class(%SYS.OAuth2.AccessToken).GetIntrospection("demoresource",accessToken,.jsonObject)

score 1 · Answer 3 · 2021-05-10T05:37:10-04:00

Most of the code related to OAuth2 in IRIS, supposed that you have configured OAuth2 Client, and uses this information to validate and extract data from the token. And this particular method will expect OAuth2 client with the name "demoresource".

I'm not sure how InterSystems supposed to get it worked together with IAM. But I have an example, of extracting data from the JWT token, without any configuration. Look at this code. In this class, I can generate tokens and validate them, as well as pass any data to generating tokens, and extract it. But it also uses a secret phrase to validate the token. And depends on the algorithm, it will require just a simple string as a secret phrase, or a public and private key.

And try the suggested JWT debugger, which may help you in understanding, what's exactly stored in the token and used algorithm for the key.

score 0 · Answer 4 · 2021-05-10T05:40:11-04:00

Thanks a lot Dmitry. I will follow your example code and see if that works for me. Will update you on how I go.

score 0 · Answer 5 · 2021-05-11T02:01:04-04:00

Hi Dmitry,

I am trying out the sample code you supplied. It seems that you have to supply a Secret Key in order to decode the token using ##class(%OAuth2.JWT).JWTToObject(). If I put my sample token on jwt.io , it decodes it without me having to supply the key.

Can we decode the token from IRIS without having to supply the public or private key ?

score 0 · Answer 6 · 2021-05-11T06:36:52-04:00

Utsavi Gajjar · May 11, 2021

Oh that is Perfect mate !! Thanks so much :)

0 0