Using SDK for signature validation
We recommend starting with our SDK section for authentication for any SDK trying to connect to Identity v4. We recommend the following libraries for token signing/verification.
You can fetch the JWK’s public URI from our well-known configurations here:
- Production:
https://id.trimble.com/.well-known/openid-configuration - Staging:
https://stage.id.trimblecloud.com/.well-known/openid-configuration
See more information in our JWT Validation section.
Recommended libraries for authorizing using an SDK
Section titled “Recommended libraries for authorizing using an SDK”JavaScript
Section titled “JavaScript”-
Getting Started with Javascript and the SDK
-
Node JS example is from node-webjson
-
For Identity v4, we recommend Authorization with PKCE instead of an implicit grant flow, but if you using an implicit grant, we recommend using a certified OIDC client. Do check their sample section.
Python
Section titled “Python”- Getting Started with Python and the SDK
- Python libraries have sufficient examples.
- AuthLib supports OAuth2 and JWT signature verification.
- Getting Started with C# and the SDK
- Jose JWT has a good API to validate JWT.
// Validate token with a public RSA key published by the IDP as a list of JSON Web Keys (JWK)// step 0: you've read the keys from the jwks_uri URL found in http://<IDP authority URL>/.well-known/openid-configuration endpointDictionary<string, JObject> keys = GetKeysFromIdp();
// step 1a: get headers infovar headers = Jose.JWT.Headers(token);
// step 1b: lookup validation key based on header infovar jwk = keys[headers["kid"]];
// step 1c: load the JWK data into an RSA keyRSACryptoServiceProvider key = new RSACryptoServiceProvider();key.ImportParameters(new RSAParameters{ Modulus = Base64Url.Decode((string)jwk["n"]), Exponent = Base64Url.Decode((string)jwk["e"])});
// step 2: perform actual token validationvar payload = Jose.JWT.Decode(token, key);
if (!(string)payload["iss"].Equals("https://identity.trimble.com")) // http://<IDP authority URL> throw new Exception("Unknown issuer");if (payload.ContainsKey("iat") && (long)payload["iat"] > (now - 300)) // allow for 5min skew throw new Exception("Token is issued in the future");if (payload.ContainsKey("nbf") && (long)payload["nbf"] > (now - 300)) // allow for 5min skew throw new Exception("Token is not yet valid");if (payload.ContainsKey("exp") && (long)payload["exp"] < (now + 300)) // allow for 5min skew throw new Exception("Token has expired");