search

microsoft / BCApps

Repository for collaboration on Microsoft Dynamics 365 Business Central applications.
https://microsoft.github.io/BCApps/
MIT License
323 stars 169 forks source link

[BC Idea]: Get the claims from a SecretText JWT Token #2296

Open jwikman opened 2 weeks ago

jwikman commented 2 weeks ago

BC Idea Link

https://experience.dynamics.com/ideas/idea/?ideaid=e565077f-7b98-ef11-95f5-7c1e526e605f

Description

When troubleshooting OAuth and trying to figure out why an AccessToken is not being accepted by the resource you are trying to use it on, we have earlier been able to get the AccessToken in plain text and put it into jwt.ms (or any other similar tool) to parse the token and look into all the claims (see https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims for more information).

Looking at the claims often explains why it does not work, like missing scopes, new configuration not in effect yet (things get cached a lot nowadays), etc.

With the switch to SecretText in the Oath2 module, we cannot get the AccessToken in plain text. Hence, we cannot parse the AccessToken to get the claims. :(

I suggest a new function in the OAuth2 module that has the AccessToken (SecretText) as parameter and returns the claims as a JsonObject.

On top of that we could also add new functions that returns common claims in an easier way, like expiration time (requested in https://experience.dynamics.com/ideas/idea/?ideaid=41f5d251-1a59-ee11-a81c-0022484c1d83).

I will provide the implementation for this BC Idea

JesperSchulz commented 1 week ago

@WaelAbuSeada / @darjoo, is this justifiable from a security perspective? Please triage.

jwikman commented 1 week ago

@WaelAbuSeada / @darjoo, I can create a draft PR for this if you want to see the implementation approach before making a decision on this?

JesperSchulz commented 1 day ago

@WaelAbuSeada / @darjoo, I can create a draft PR for this if you want to see the implementation approach before making a decision on this?

That sounds like a good path forward! Let's do that 😊

jwikman commented 1 day ago

Ok, here's the draft: #2363

Not that much code, but essential when troubleshooting OAuth issues 🙂 More than once, this has shown that recent changes in the app registration were not being used yet...

JesperSchulz commented 13 hours ago

Draft went through security review. Issue approved.

jwikman commented 13 hours ago

Draft went through security review. Issue approved.

Cool, thanks!

Happy Friday! 🥳