Understanding and Resolving a JWT Encoding Issue in HealthShare

Question

Question

Yone Moreno · Nov 7, 2023

First of all, thanks for your time, and thank you; for reading, and answering this question.

We have been creating inside an HTTP Operation, a way to generate a JWT as follows:

	set header = "{""alg"":""HS256""}"
	$$$LOGINFO("header: "_header)
	set payload = "{""username"":"""_user_""", ""requestID"":"""_pRequest.idPeticion_"""}"
	$$$LOGINFO("payload: "_payload)
	set key = ##class(Util.TablasMaestras).getValorMaestra("PDF_LABORATORIO","secretKey_JWT")
	$$$LOGINFO("key: "_key)
	set base64header = $system.Encryption.Base64Encode(header)
	$$$LOGALERT("base64header: "_base64header)
	set base64payload = $system.Encryption.Base64Encode(payload)
	$$$LOGALERT("base64payload: "_base64payload)
	set unsignedToken =  base64header_"."_base64payload
	$$$LOGINFO("unsignedToken: "_unsignedToken)
	set signature = $SYSTEM.Encryption.HMACSHA(256, unsignedToken, key)
	$$$LOGINFO("signature: "_signature)
	set token = unsignedToken_"."_$system.Encryption.Base64Encode(signature)
	$$$LOGWARNING("token: "_token)

As a result, we get the following JWT: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imhvc3QiLCAicmVxdWVzdElEIjoiOTQwMzY4MiJ9.lOdaG4sqwjAym3TLb+Hc1mBm1ucuegogFB1TSRfEizE=

Which we paste to validate via this tool: https://jwt.io/

It shows a warning which states that is not being encoded as base64url, and padding "=" must be omitted:

However, when we extract the one provided by the System which has provided the documentation and steps to generate the JWT, I mean, if we get the JWT given as example in their simulator: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imhvc3QiLCJyZXF1ZXN0SUQiOiI5NDAzNjgyIn0.0LagsAfugccAlAiVyEQ2VbX8dODn0bCOixQROTAYG1I

When we validate it, it is valid:

Why is the warning in the JWT being created with HealthShare (the first one) being stated?

How could we understand it?

After understanding it, what is the recommended way to handle it?

🎯📖💭 Thanks for your time, help, and answers.

Sincerely thanks.

Product version: IRIS 2020.1

$ZV: IRIS for UNIX (Red Hat Enterprise Linux for x86-64) 2020.1.1 (Build 408U) Sun Mar 21 2021 22:21:14 EDT

Discussion (8)1

Log in or sign up to continue

score 0 · Answer 1 · 2023-11-07T07:18:12-05:00

Hello @Yone Moreno

Try removing the = after $system.Encryption.Base64Encode(). You can also check the %OAuth2.JWT class to as well.

do ##Class(%OAuth2.JWT).ObjectToJWT(.JOSE,body,,,.jwt)

score 0 · Answer 2 · 2023-11-07T08:59:11-05:00

Thanks @Ashok Kumar for your help and time.

The updated variant:

	set header = "{""alg"":""HS256""}"
	$$$LOGINFO("header: "_header)
	set payload = "{""username"":"""_user_""",""requestID"":"""_pRequest.idPeticion_"""}"
	$$$LOGINFO("payload: "_payload)
	set key = ##class(Util.TablasMaestras).getValorMaestra("PDF_LABORATORIO","secretKey_JWT")
	$$$LOGINFO("key: "_key)
	set base64header = $system.Encryption.Base64Encode(header)
	$$$LOGALERT("base64header: "_base64header)
	set base64payload = $system.Encryption.Base64Encode(payload)
	$$$LOGALERT("base64payload: "_base64payload)	
	set base64decode = $system.Encryption.Base64Decode(base64payload)
	$$$LOGALERT("base64decode: "_base64decode)
	set base64payloadNUEVO = $system.Encryption.Base64Encode(base64decode)
	$$$LOGALERT("base64payloadNUEVO: "_base64payloadNUEVO)
	
	
	set base64decodeFUNCIONA = $system.Encryption.Base64Decode("eyJ1c2VybmFtZSI6Imhvc3QiLCJyZXF1ZXN0SUQiOiI5NDAzNjgyIn0")
	$$$LOGALERT("base64decodeFUNCIONA: "_base64decodeFUNCIONA)
	set base64FUNCIONA = $system.Encryption.Base64Encode(base64decodeFUNCIONA)
	$$$LOGALERT("base64FUNCIONA: "_base64FUNCIONA)

	
	set base64payloadQuitarIgualFinal = $PIECE(base64payload,"=",1)
	$$$LOGALERT("base64payloadQuitarIgualFinal: "_base64payloadQuitarIgualFinal)	
	
	set unsignedToken =  base64header_"."_base64payloadQuitarIgualFinal
	$$$LOGINFO("unsignedToken: "_unsignedToken)
	
	set signature = $SYSTEM.Encryption.HMACSHA(256, unsignedToken, key)
	$$$LOGINFO("signature: "_signature)
	set bas64signature = $system.Encryption.Base64Encode(signature)
	$$$LOGINFO("bas64signature: "_bas64signature)
	
	set token = unsignedToken_"."_bas64signature
	$$$LOGWARNING("token: "_token)

Besides, comparing the one provided by the simulator which works, and the one which generates Ensemble; it is two thirds equals:

Header is exactly the same:

Payload is equal:

However the third one, the signature is not right.

We do not know why the lines which get the signature as a "HMAC-SHA256" are not ginving the proper and/or expected string:

	set signature = $SYSTEM.Encryption.HMACSHA(256, unsignedToken, key)
	$$$LOGINFO("signature: "_signature)
	set bas64signature = $system.Encryption.Base64Encode(signature)
	$$$LOGINFO("bas64signature: "_bas64signature)
	
	set token = unsignedToken_"."_bas64signature
	$$$LOGWARNING("token: "_token)

We would need as the simulator has provided: "0LagsAfugccAlAiVyEQ2VbX8dODn0bCOixQROTAYG1I"

However Ensemble outputs as a signature this one: "cvj48UMDm3jtp9amY7rO1eyXmutC9wjMZzREmQOGIL0="

--

How could we understand and solve this?

We have also read carefully:

https://community.intersystems.com/post/how-use-base64-encrypt-string-ex...

https://community.intersystems.com/post/hmac-authentication-problem

https://docs.intersystems.com/irisforhealthlatest/csp/documatic/%25CSP.D...

Could you help us, please?

score 0 · Answer 3 · 2023-11-07T11:59:33-05:00

I believe the simulator/JWT.io uses Base64UrlEncode instead of Base64Encode
The problem with Base64Encode is that it contains the characters + , / , and = ,. So Base64UrlEncode solves this by replacing + with - and / with _ .

score 0 · Answer 4 · 2023-11-08T03:55:52-05:00

Thanks @Ashok Kumar for your thoughts and time, trying to help us.

We have tested it, as follows:

	; 08/11/2023 We try to encode the signature with base64Url
	set base64urlSignature = ##class(%OAuth2.Utils).Base64UrlEncode(signature)
	$$$LOGASSERT("base64urlSignature: "_base64urlSignature)

It shows the following output:

base64urlSignature: cvj48UMDm3jtp9amY7rO1eyXmutC9wjMZzREmQOGIL0

So, you are right, it looks like it removes the "=" character at the end, because when we use:

	set bas64signature = $system.Encryption.Base64Encode(signature)
	$$$LOGINFO("bas64signature: "_bas64signature)

It shows us, the next outpout which contains "=" at the end:

bas64signature: cvj48UMDm3jtp9amY7rO1eyXmutC9wjMZzREmQOGIL0=

However it does not fix why the JWT's third part is different thant the one provided the simulator and tested with JWT.io

We think the difference is due to this line, the one which retrieves the signature:

	set signature = $SYSTEM.Encryption.HMACSHA(256, unsignedToken, key)
	$$$LOGINFO("signature: "_signature)

How could we understand, deeply understand, and solve this need?

Thanks for your help, time, and effort.

score 0 · Answer 5 · 2023-11-08T22:03:54-05:00

The jwt on the second image you provided seems to be also an incorrect verification

I think your modified jwt is the correct one (also requires base64url encoding, no final=)

score 0 · Answer 6 · 2023-11-08T22:04:25-05:00

Shanshan Yu · Nov 8, 2023

0 0

score 0 · Answer 7 · 2023-11-08T22:13:45-05:00

Shanshan Yu · Nov 8, 2023

This method can be used for baseURL encoding

$$$BASE64URLENCODE(token)

0 0

score 0 · Answer 8 · 2023-11-09T03:02:12-05:00

Yone Moreno · Nov 9, 2023

Thanks @Shanshan Yu
for your help, time, and explanations.

0 0