Using OAuth 2.0 for Server to Server Applications - json

The examples provided are for java and Python. I would like an example for VB.NET. I am particularly interested in the JSON Web signature piece.
"Sign the UTF-8 representation of the input using SHA256withRSA (also
known as RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function) with
the private key obtained from the Google Developers Console. The
output will be a byte array."
Can this be done in VB.NET?

I've personally used Jose-JWT and find it meets all my needs for generating and decoding JWTs. It's available through NuGet. While I haven't looked at the JWS spec you might find this library as a good starting point.

Related

Apache Nifi, how to get JSON from API

I've started using Apache Nifi and I'm still learning it and experimenting with it. I really want to use Nifi to get JSON documents from API's and put them in my Elasticsearch database. So far using the built-in getTwitter and putElasticsearch controllers this works.
However now I want to do this with other APIs than Twitter, and I'm kinda stuck here. First off I really don't even know which controller to use? I would think getHttp or invokeHttp even with 'GET' as http verb then but it doesn't seem to work. If I use the getHttp I have to give an SSL service with keystore and truststore .. like why would I have to do that?
Apache Nifi is still quite new so hard to find decent guides / information about these kinds of things. I have read and searched the documentation but haven't gotten the wiser.
An example JSON to pick up from an API is:
https://api.ssllabs.com/api/v2/getEndpointData?host=www.bnpparibasfortis.be&s=193.58.4.82
Thanks in advance for anyone that can offer some help / insight.
What processor you use to get the JSON data is entirely dependent on the API you want to hit. The GetHttp or InvokeHttp processors should work to grab the data from a URL. If you'll notice, the SSL service is an optional property for both GetHttp and InvokeHttp so you only need to you use it when you want to communicate via HTTPS. Also, from the UI you can right click on a processor and then click "usage" to bring up the documentation for that processor.
At this link[1] you can find a NiFi template that uses GetHttp to get JSON data from randomuser.me and does various processing on it. It's primarily a template to show-case the different Avro processors but the method of grabbing the JSON should be relevant.
[1] https://github.com/hortonworks-gallery/nifi-templates/blob/master/templates/Convert_To_Avro_From_CSV_and_JSON.xml

Signature not valid

So I am using Amazons Product Advertising API and getting SignatureDoesNotMatchThe everywhere I turn.
The problem is not with my code because I have started using this scratchpad < http://associates-amazon.s3.amazonaws.com/scratchpad/index.html >
What gives? I have created a credential in AWS like all others - what else do I need to do or why is this just failing?
The full error is as follows:
<?xml version="1.0"?>
<ItemLookupErrorResponse xmlns="http://ecs.amazonaws.com/doc/2011-08-01/"><Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
</Error>
<RequestId>a89715b8-8e81-4d33-ad94-b85c92fb0631</RequestId></ItemLookupErrorResponse>
I found signing requests to be painful. I finally got it to work by reading the documentation carefully and using the Signed Requests Helper tool.
The documentation
https://docs.aws.amazon.com/AWSECommerceService/latest/DG/prod-adv-api-dg.pdf
outlines the steps starting on page 55. My problem was getting the url encoding right. Also, as vinayr mentioned, the parameters do have to be in a specific order (byte order, I think).
HOWEVER, the available library makes everything waaaaay easier. I've been using it for weeks now. It converts the XLM responses into an object that holds all the data and is easy to use.
I recently answered the question here:
https://stackoverflow.com/a/33617604/5543992

in SAS: create a JSON Web Signature for Google API

I am using SAS 9.4. I want to write a JSON Web Signature ("JWS") to complete my JSON Web Token ("JWT") - (I already have the header and claims encoded and tested). I would like to make API calls to Google. My problem is that I am not certain how to create the JWS. Per all the docs and tutorial web sites I have researched the syntax to create the signature is (pseudo-code):
encodedContent = base64UrlEncode(header) + "." + base64UrlEncode(payload);
signature = hashHmacSHA256($encodedContent);
and/or
var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload);
HMACSHA256(encodedString, 'secret');
etc.
I have been attempting to create the JWS using SAS PROC GROOVY code found here:
https://gist.github.com/FriedEgg/79ad315afa1b315e8ac3
...and other places.
Google's doc (https://developers.google.com/identity/protocols/OAuth2ServiceAccount) states:
"Sign the UTF-8 representation of the input ('{Base64url encoded header}.{Base64url encoded claim set}') using SHA256withRSA (also known as RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function) with the private key obtained from the Google Developers Console. The output will be a byte array."
However, I am confused about what key to use (or whether I should be using a key) as some sites (example above) just suggest hashing the encoded header+claims while others suggest hashing using a "secret key" while say "private key" - and the github page (URL above) just uses a "key".
I am also confused about sha1 vs. sha256. The Google docs sate sha256 but some have suggested sha1 in this Stack Overflow thread: questions/18362327/creating-digital-signature-usining-sas-for-google-api-geocode
Again, I have verified my header and claims SAS code work using:
jwt dot io
and
kjur dot github dot io/jsjws /tool_jwt.html
Since SAS supports Groovy (PROC GROOVY) I assume that I can write my JWT successfully using java code but I have not yet been able to replicate any JWT in my SAS code using examples found on the sites I have mentioned above and others.
Has anyone ever done this before (using SAS to connect to Google APIs using JWT)?
Any help is appreciated!

How to use Delphi to sign REST requests using HMAC-SHA256

I'm attempting to query an REST service with fairly limited idea of how to approach it.
I'm using Delphi XE6 (upd 1)
The company providing the API have said that: "The API is implemented as JSON via SSL"
and they go on to say that:
Access to any API endpoint requires authentication via signed requests, created with publicand secret API
keys
I have the keys defined above.
The signature is an HMAC­SHA256 hash of a string containing the request content­type, host,
URL, date timestamp (matching the request Date header) and request content (eg POST
parameters) separated by a single newline, and passed with the public key in a custom header
X­API­Authorization along with the public key, in the format PUBLICKEY:SIGNATURE
I understand each request needs to be signed.
How do I sign an http request with Delphi XE6?
The confusion for me at the moment is it seems Delphi has a number of built-in components have accessing RSET servers and parsing the JSON returned. I can't see any obvious way of signing requests using these components.
Specifically is there any help from the built-in Rest components or do I have to provide my own solution?

What is JSONC? Are JSONC and JSON-C different?

Recently came across the term JSONC in a YouTube API. I browsed the Web, but found nothing much about it. Can someone explain whether these two are the same or different?
There is also jsonc aka "JSON with comments", created by Microsoft and used by Visual Studio Code. The logic for it can be found here, alas without exhaustive specification (though I'd like to be proven wrong on this).
On top of that there is this project with an actual specification which is also called jsonc, but also does far more than just adding comments.
While there definitely is a use for these technologies, some critical thinking is advised. JSON containing comments is not JSON.
JSON-C seems to just be a variation of JSON mainly targeted at C development. I.e., from the open source docs, "JSON-C implements a reference counting object model that allows you to easily construct JSON objects in C, output them as JSON formatted strings and parse JSON formatted strings back into the C representation of JSON objects."ref^1
From the YouTube API perspective (specifically, version 2, not the new version 3), The JSON-C response is just a condensed version of the JSON response (removing "duplicate, irrelevant or easily calculated values").ref^2
Why would the JSON response have "duplicate, irrelevant or easily calculated values" values anyway? Because it is converting the original ATOM XML format directly to JSON in a loseless conversion. You can find out more details here.
However, I would suggest using version 3 of the YouTube Data API. It is much easier to use. =)
JSONC is an open-source, Javascript API created by Tomás Corral Casas for reducing the size of the amount of JSON data that is transported between clients and servers. It uses two different approaches to achieve this, JSONC.compress and JSONC.pack. More information can be found on the JSONC Github page:
https://github.com/tcorral/JSONC