I'm working with BambooHR's webhook and it is currently uploading the output JSON file to my Google Cloud Storage Bucket.
Challenge is:
GCS won't accept incoming request (webhook) when its private. I have to manually set the bucket to public everytime the webhooks run.
From BambooHR's documentation, webhook can be secured using SHA-256 HMAC.
https://documentation.bamboohr.com/docs/webhooks
In GCS, I can't find a straight forward documentation on how I can match my webhooks HMAC key to GCS HMAC key. I searched for any discussion about this but can't find any.
I'm new to HMAC and I'm loss where should I start. Please advise. Thanks.
Related
I'm receiving a JWT from Microsoft Azure, and I need to verify it on my server. The JWT is signed using RS256, i.e. using asymmetrical private/public key encryption.
I know that various libraries exist that can be used to verify a JWT signature directly from our backend server. But I'm curious if it wouldn't be possible to verify the JWT signature using an online service? Since it's using RS256 and not HS256, only public keys are involved in the verification process, no private keys or other secrets.
It seems like it would be simple to put up a REST service that can take an asymmetrically signed JWT, verify the signature and give back true/false. But when Googling I can't find any such services. Not even from big names in the JWT-world, like Auth0.
Why is that? Is there some security concern with letting another server verify the JWT signature?
When building a Conversational Action with the new Actions SDK or Action Builder, you can define a webhook to handle business logic. This webhook then receives fulfillment requests with the following headers, among others:
Google-Actions-API-Version: "3"
Google-Assistant-Signature: "eyJhbGciOiJSUzI1NiIsImtpZC..."
How should that signature be verified? It's a JWT claim, but the key ID with which it was signed does not exist in the GCP account linked with the Action, and is not mentioned in the new Actions SDK documentation or in the Node.js fulfillment library documentation.
The signature is a JSON Web Token, which is an encoded way of transmitting some assertions that have been signed in a verifiable way. There are libraries that will both decode and verify JWTs. The general steps (some of which you can cache or shortcut) are:
Decode the header to get the kid (key id) and the payload to get the iss (issuer) fields. You'll also want the nbf (not before) and exp (expiration) fields to verify this was set recently and the aud field to verify that it matches your Google Cloud project ID.
Based on the issuer, access the well known openid configuration. Since the issuer is "https://accounts.google.com" you can access this at "https://accounts.google.com/.well-known/openid-configuration"
From the configuration document, you want the jwks_uri field, which is the URL to get the current JWT certificates. For Google, this is probably "https://www.googleapis.com/oauth2/v3/certs"
The certificate document should contain an array of keys. You want a key with the kid that matches the kid from the JWT. Note that these keys change frequently, but as long as you're within the window of the nbf and exp fields from the signature header, the key should exist in the certificate document.
With all this, you can then verify the signature portion of the JWT.
I am in a process to evaluate the capabilities of DocuSign by integrating with ServiceNow. If that works out well we are gonna take the licensing part forward for signup.
Link to ServiceNow Docs for using DocuSign Spoke of Integration Hub
DocuSign: https://developers.docusign.com/esign-rest-api/guides/building-integration
The issue here is : Steps given in the DocuSign documents and the relevant option isn’t present in DocuSign Sandboxed instance. Basically I am not able to get the Client ID and Client Secret.
I am not really sure of the significance of giving the Sandboxed instance if we can't do any integration.
Steps from Docusign
Snip from DocuSign Sandbox instance
Please provide any points on this integration and way forward to get it done.
Thanks.
You can do full dev integration with the Sandbox instance. First you need to know the Authentication Type to be used by your integration which you can read here. Once You know which Auth type to use, then you can either follow Auth Code Grant which will help you in creating IntegratorKey (aka ClientId), SecretKey and Redirect URI. But if you want to do JWT then you need to follow JWT Auth which will guide you in creating RSA Key Pair and Redirect URI.
When you use Open ID connect with Azure AD, the JWT issued token (id token) is signed with an asymmetric key. I saw the public key to verify that signature is available in the metadata file, https://login.microsoftonline.com/common/discovery/keys. However, I couldn't find any documentation about how those keys are generated. How can you change the keys that are available there or how can I specify a different key to sign the JWTs for my tenant ?
All sources and information suggests that this certificate roll over is done by Azure AD them self. Consumers are not able to do a manual roll over or put a certificate of their preference. This claim is supported by this answer. Also, please check this press release which mention a roll over happened in 2016
From your end you must be be ready to accept a rollover any time. Best practice is to fetch key information through discovery document. This is explained in the openid connect documentation
According to this piece of documentation, only way how to have your own signing key for your application, is custom claims mapping. Although description is very vague and instructions how to do it are scarce.
I'm trying to send a REST call (POST) from a Logic App in Azure to Sharepoint, to create a documentlibrary for a given contact.
This is what the HTTP connector looks like in my Logic App:
What I primarily need help with is the OAuth authentication in order to send this REST call.
What do the following attributes mean in this context, what would be an example for each one, and how would I go about finding my proper values for my situation?
Tenant
Audience
ClientID
Secret
(Also, If anyone has a good suggestion for what Uri/body i should use to accomplish this POST call, that would also be very helpful.)
Indeed, you can call SharePoint Rest API with Azure Logic Apps and AzureAD secured OAuth authentication. What you mainly miss is a certificate.
Create it like described here for instance.
Then you need the following parameters in your HTTP request:
Tenant: YourTenant.onmicrosoft.com
Audicence: https://YourTenant.sharepoint.com
ClientID: GUID of your registered Azure App registration
Credential Type: Certificate
Pfx: Your whole certificate as Base64Encoded string (for simplicity open with Notepad++ and conver to Base64 via Mime Tools)
Password: The Password to your certificate
That way it worked for me. Next step would be for sure to securely treat the parameters such as your Base64 certificate, the password, or even the Guid of your app registration.