Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,456,344
Community Members
 
Community Events
176
Community Groups

Error in querystring hash instructions for connect apps (JWT token creation)

Edited

Hi

Following the instructions from: https://developer.atlassian.com/cloud/jira/platform/understanding-jwt/

I think there is a very misleading error in the description on how to create the query hash.

Step 7 states:

Hash the canonical request bytes using the SHA-256 algorithm

  • e.g. The SHA-256 hash of "foo" is "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae"

This is not correct in all cases. The hash of foo in C# is a byte array, not a string. Only by applying hex encoding to the hash will the resulting UTF8 string become the string mentioned above. This step is omitted in the instructions. Also in other places Base64-encoding is used, but for the query hash, HEX encoding is used. Maybe this is some default in JAVA?

Since the query hash is a bit overworked anyway, clear instructions would help =).

For my C# aspnet core 2.2 implementation of a jwt token, I used the code below.
signingUrlString is the input in the format described in the instructions, ex:
GET&/path/to/api/method&....

using (SHA256 mySHA256 = SHA256.Create())
{
var signingBytes = Encoding.UTF8.GetBytes(signingUrlString);
var shaHashofSigning = mySHA256.ComputeHash(signingBytes);
queryHash = ToHex(shaHashofSigning, false);
}

 ToHex:

private static string ToHex(byte[] bytes, bool upperCase)
{
StringBuilder result = new StringBuilder(bytes.Length * 2);

for (int i = 0; i < bytes.Length; i++)
result.Append(bytes[i].ToString(upperCase ? "X2" : "x2"));

return result.ToString();
}

 I used a validation tool for the querystring hash during testing of the JWT implementation to check if the hash was correct: http://jwt-decoder.herokuapp.com/jwt/decode

I have no affiliation to the tool itself, so I cannot say if its safe or not, so use with caution, and do not expose any sensitive urls or queries.

I Hope this might help anyone who have issues with the querystring hash. Please comment if you have any input on this, or if you find errors in the code.

Best regards

Torbjörn

0 comments

Comment

Log in or Sign up to comment