Closed virusvfv closed 2 years ago
ozzi-
commented
2 years ago Hi @virusvfv Thanks for the PR. Always using ISO_8859_1 seems a bit weird, I can imagine use cases where i.e. UTF-8 is needed. I suggest adding it to config.json, what do you think?
Concerning o365, do you have any URL where I can get this? Or the example request / response?
Cheers!
virusvfv
commented
2 years ago According code ISO_8859_1 used only if: 1) if (key.startsWith(HEX_MARKER) - user assume that key is HEX key. 2) if office 365 JWT is used. In that case key is always a HEX key. In other cases key used as UTF-8 string, because Auth0 library converts string key to bytes[] using UTF-8 (U can look it inside auth0 code) So I thank that there is not need to add additional checks in config..
Concerning o365... If U want to play with o365 auth U have to authorize the MS Office application (MS Word, Excel, Onedrive, etc) to any microsoft account and look inside its requests. U will find access JWT inside requests.. If your windows version >=10.19043 U will see kdf_ver:2 in JWT header.
ozzi-
commented
2 years ago Hi @visusvfv
Please check https://github.com/ozzi-/JWT4B/commit/8b6d7132f737423332e1d85772b57787a4e8b974 src/app/controllers/JWTInterceptTabController.java and src/app/helpers/O365.java
I removed some unneeded variables in your code (i.E. boolean o365) and changed the string equals to actual json parsing.
I would be very glad, if you could check if this build works as you intended it: JWT4B-jar-with-dependencies.zip
virusvfv
commented
2 years ago Hi, @ozzi- ! I checked it. It works well ! Good job. Thanks!
ozzi-
commented
2 years ago Thank you for your fast response! I merged it into main https://github.com/ozzi-/JWT4B/pull/76
Fix error with converting from hex string in case of hex key contains some non-ascii bytes. When hex string contains some non-ascii bytes expression
key = new String(Hex.decodeHex(key));gives incorrect transform. so key will be is wrong. The correct expression will be:key = new String(Hex.decodeHex(key),StandardCharsets.ISO_8859_1);Add Microsoft Office365 JWTs support. When windows logins to Microsoft services AADCore dll uses ctx field in JWT header to derive signing keys (in case of kdf_ver:1) and ctx+payload (in case of kfd_ver:2). Kdf_ver 2 (key deviation function) is used in windows ver >= 10.19043. So with this commits JWT4B can derive signing keys and sign Office365 JWT with supplied session keys in hex (with 0x prefix). U can read more about session keys and MS JWT in DirkJanm researches (https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/)