Using JWT with Google App Engine
GAE allows to sign any random bytes using application's unique private key (https://cloud.google.com/appengine/docs/java/javadoc/com/google/appengine/api/appidentity/AppIdentityService). It however, doesn't provide access to private key. It also doesn't mention which algorithm is used to sign. But it provides all public certificates for verification. Is it possible to add support for such use case?
A related question on stackoverflow: http://stackoverflow.com/questions/31773831/using-jwt-with-google-app-engine
Comments (4)
-
repo owner -
repo owner Did you have a chance to try that, @arpit1712 ?
-
repo owner - changed status to closed
no response for over a month so closing
-
reporter Apologies for delayed response. I chose a different technique to sign token (Using user's password's hash). Also, for simplicity, I decided to use HMAC instead of RSA for signing the JWT.
~Arpit
- Log in to comment
I don't know if it's possible. It depends on how the GAE
AppIdentityService.signForApp(byte[] signBlob)
actually works. And I wasn't able to find much info with a little searching. I put this out on twitter https://twitter.com/__b_c/status/628216588429168640 but haven't gotten any reply.If they sign using
SHA256withRSA
, which is reasonably likely, then it could probably be made to work with a little hacking. I modified the example from https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples to show what it might look like to sign and verify with AppIdentityService. I don't use GAE so could you please try this and let me know if/how it works?The alternative would be to manage/generate(see RsaJwkGenerator or EcJwkGenerator)/store/publish keys yourself and use the normal jose4j interfaces. But I do understand that using the infrastructure provided by GAE is appealing. Though I suppose it's worth mentioning that, even if you can get this to work, things could break down the road, if Google ever were to change how they do the signing.