8x8 / jaas_demo Goto Github PK

Hi I am implementing JaaS in our asp.net mvc website.
Could you also add normal .NET demo for creating jwt token?
The existing .NET demo is for .NET Core, and there's no such functions in .NET Framework.

Thanks

The documentation ( https://developer.8x8.com/jaas/docs/webhooks-signatures ) describes how we can check the signature from a webhook call, but a real code example would help with some of the questions we might have after reading the documentation.

For example:

"The X-Jaas-Signature header included in each signed event contains a timestamp and one or more signatures."

Why one or more signatures? Does another signature always mean another version/protocol or could the message body somehow be broken in several parts with separate signatures?

Split the header, using the comma “,” symbol as the separator, to get a list of elements. Then split each element, using the equals sign “=” as the separator, to get a prefix and value pair.

As the example value contains an equal sign (=) as part of the signature value, I'm wondering how to avoid removing that by accident with a simple String.split...

The signed_payload string is created by concatenating:

• the timestamp obtained from the header in the previous step (as a string).
• the character .
• the actual JSON payload (i.e., the request body).

Since this seems to refer to string concatenation, I'm wondering which specific options to use with JSON.stringify on the request body. Could I break the signature validation by using the wrong stringify settings?

To protect against timing attacks, use a constant-time string comparison to compare the expected signature to each of the received signatures.

Ummm.. what is constant-time string comparison and how do I do that? 😅

Anyway, a bit of sample code would be really fantastic. Thank you.

I have PHP 8.1 on Ubuntu 22.04 with Apache 2.4x. When I run the script, I do not get a JWT back. I get a blank screen and the error message above in the error log. Any idea what is causing that? I checked that the class is receiving the key from the key file on the server. Thank you.