Create a JWT in VBA RSASHA256 - vba

I have automated the use of Docusign from an Access Database using https calls from VBA
Now I have to change from their legacy authentication to use OAuth 2.0
I need to create a JWT and then use this to exchange for a Docusign API Access Token
I can create and encode the Header & Payload but need to generate the Signature part by encoding the Header and Payload to Base64 (which I can do) but then need to use the Private Key (also have a Public Key) which I have from Docusign and use something like RSASHA256 (as per JWT.io) to generate the Signature to add to my JWT
Does anyone know how I can create this signature element from VBA please
Thank you

you could try some of this code (part of a repository I made): https://github.com/krijnsent/crypto_vba/blob/master/ModHash.bas
You do need .NET 3.5 or greater on your system, as it's used by the hashing algorithms (System.Security.Cryptography).

Related

Are there VBA classes that generate JWT for DocuSign OAuth2?

We are using MicroSoft Access 2016 32-bit VBA to call DocuSIgn API for generating and sending envelopes, and reading DocuSign data. We are trying to convert from DocuSign's legacy authentication to OAuth2. We do not have the option at this time to change to another application.
I am stuck on generating the JWT. I have successfully used JWT.IO to manually generate a JWT with the proper Header, Body, and Signature. I cannot figure out how to generate it programmatically in VBA. I have seen some code on GitHub but not sure how to implement it.
Are there libraries in VBA reference I need to include?
Can anyone point me in the right direction to get JWT in VBA?
Thank you.
DocuSign support finally gave me the alternative to use Authorization Code Grant with an extended refresh token. So much easier!
I did try using Koen Rijinsent's https://gist.github.com/krijnsent/7a90db8567504aa89a448132796792b3 that he provided via email, in addition to his ModHash. I was almost there, but his hash does not support RSASHA256. Thank you Koen for your efforts to help me.

Custom authentication with Swashbuckle.AspNetCore

Currently we're generating Swagger 2.0 documentation using Swashbuckle.AspNetCore. The authentication mechanism being used requires three headers:
X-API-KEY: The shared key
X-API-SIGN: Signature of the request composed of HMACSHA256 hashed value of Hashed secret, Timestamp, Method, Endpoint, and Body
X-API-TIMESTAMP: This is the same timestamp used in the signature
I don't think Swagger or Swashbuckle support this natively so I would likely need to set up some javascript to fill in hidden fields or something in the swagger docs.
I'm currently using an OperationFilter to prepend operation parameters to each request. This doesn't help me once the page loads though since the user will need to enter their API key and secret, which everything else is calculated based on. Clearly javascript will be required here.
Can anyone provide suggestions for how to handle this cleanly?
I wanted to put this as a comment but comments do not allow format so here you go:
The Swashbuckle.AspNetCore seems to be missing the InjectJavaScript feature:
https://github.com/domaindrivendev/Swashbuckle.AspNetCore/search?l=C%23&q=InjectJavaScript
It is there on the older project:
https://github.com/domaindrivendev/Swashbuckle/search?l=C%23&q=InjectJavaScript
That is what I've used to inject some javascript, without that we are very limited.
Now looking at this from a different perspective:
It seems you want to embed the authentication process on the swagger ui...
Maybe on the backend you should bypass the authentication if the request comes from Swagger-Ui

Use EchoSign Api in C#

I need to get the list of document and echosign it in c#. Also I need the Abobe Echosign oauth api to validate the username and password and get the access token key.
Please help!!
There is a another question related to using Adobe Sign api in c#. This might be helpful for you.
Adobe Sign (echo sign) API sending document using C#

How to verify oauth signature or request?

The client is using oauth signing their request and call my server, I know the client's oauth key and secret, then how can I verify the call is from the actual user? should I calculate the signature with all parameters sent along with the request and compare it with the signature within the request? I am using singpost library.
Thank you, any hint will be very helpful!
OK for the future reference - to validate the signature, this is what I did:
Parse all parameters in the incoming request's header and use all these parameters and my own consumer credential to calculate the signature again, then compare with the incoming signature. It's a pain for me since no proper library can do it in a easy way, I have to write it myself...

REST API authentication with query string encryption

I am building a web application that provides an API as it's primary function. I have been looking into methods for authentication but have been struggling to make a decision on what to use.
Since this will be a paid service and the API is the service, I need to make it as easy to use as possible so as not to put people off but obviously I want it to be secure. I have considered using HTTP basic authentication over SSL but would like to avoid the costs/overheads/hassle of SSL if possible early on and maybe provide it as an option later.
I like the AWS style API authentication (see here) but the problem is I can't have users sending the query string as plain text along with a signature because the parameters may contain things like phone numbers which I think customers would rather not expose. I have thought about providing a secret key to encrypt the string which is sent along with an api key to identify the user.
What do you think the best option is to also encrypt the query string along with the request while maintaining simplicity?
Use HTTPS. It's simple, supported by almost all client libraries, trusted, secure, and it protects the URL and payload.