[BC Idea]: Get the claims from a SecretText JWT Token

[jwikman]

BC Idea Link

https://experience.dynamics.com/ideas/idea/?ideaid=e565077f-7b98-ef11-95f5-7c1e526e605f

Description

When troubleshooting OAuth and trying to figure out why an AccessToken is not being accepted by the resource you are trying to use it on, we have earlier been able to get the AccessToken in plain text and put it into jwt.ms (or any other similar tool) to parse the token and look into all the claims (see https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims for more information).

Looking at the claims often explains why it does not work, like missing scopes, new configuration not in effect yet (things get cached a lot nowadays), etc.

With the switch to SecretText in the Oath2 module, we cannot get the AccessToken in plain text. Hence, we cannot parse the AccessToken to get the claims. :(

I suggest a new function in the OAuth2 module that has the AccessToken (SecretText) as parameter and returns the claims as a JsonObject.

On top of that we could also add new functions that returns common claims in an easier way, like expiration time (requested in https://experience.dynamics.com/ideas/idea/?ideaid=41f5d251-1a59-ee11-a81c-0022484c1d83).

I will provide the implementation for this BC Idea

• I will provide the implementation for this BC Idea

[JesperSchulz]

@WaelAbuSeada / @darjoo, is this justifiable from a security perspective? Please triage.

[jwikman]

@WaelAbuSeada / @darjoo, I can create a draft PR for this if you want to see the implementation approach before making a decision on this?

[JesperSchulz]

@WaelAbuSeada / @darjoo, I can create a draft PR for this if you want to see the implementation approach before making a decision on this?

That sounds like a good path forward! Let's do that 😊

[jwikman]

Ok, here's the draft: #2363

Not that much code, but essential when troubleshooting OAuth issues 🙂
More than once, this has shown that recent changes in the app registration were not being used yet...

[JesperSchulz]

Draft went through security review. Issue approved.

[jwikman]

Draft went through security review. Issue approved.

Cool, thanks!

Happy Friday! 🥳

[pri-kise]

@jwikman I today found two procedures in the BaseApp, since they are used in this PR: microsoft/ALAppExtensions#27261

https://github.com/microsoft/BusinessCentralApps/blob/main/App/Layers/W1/BaseApp/System/SOAPWebServiceRequestMgt.Codeunit.al

If those return the same then they could maybe partially uptake the this new feature:
GetTokenDetailsAsNameBuffer
GetTokenDetailsAsJson

[jwikman]

@pri-kise yes, they could probably do that.

I tried to use the GetTokenDetailsAsJson() function on a JWT token that worked with the new GetClaims() function, and it fails - without any error message. And since it is a NonDebuggable function, it's hard to figure out why...