C
C#2y ago
Kasper

❔ ASP.NET CALLBACK

hello i've got a callback with a JWS signature how would i add a new controller to the site to handle this post request and check if its a valid signature? the link to the api that sends the callback is "https://developer.payconiq.com/online-payments-dock/#the-callback-signature" any help would be appreciated.
4 Replies
lycian
lycian2y ago
I'd use one of these packages that allows verification https://jwt.io/libraries
JWT.IO - JSON Web Tokens Libraries
Find an overview of libraries that help you work with JSON Web Tokens in your favorite language.
lycian
lycian2y ago
then it's just a matter of following the steps outlined in payconiq
This assumes that the JWKS has been cached. Extract the "kid" field from the JOSE Header of the signature. Compare the extracted "kid" with the cached "kid" in the JWKS. If there is a match, jump to step 3. If they do not match, jump to step 4. Use the cached JWK to verify the signature using your preferred library (for java the standard is jose4j) making sure that: ->> The following critical headers are set: "https://payconiq.com/iat", "https://payconiq.com/jti", "https://payconiq.com/path", "https://payconiq.com/iss", "https://payconiq.com/sub". Refresh the JWKS cached by downloading the latest JWKS. Extract the "kid" field from the JOSE Header of the signature to retrieve the corresponding JWK. Used the cached JWK to verify the signature using your preferred library (for java the standard is jose4j) making sure that: ->> The following critical headers are set: "https://payconiq.com/iat", "https://payconiq.com/jti", "https://payconiq.com/path", "https://payconiq.com/iss", "https://payconiq.com/sub". This assumes that the public key certificate has not been cached. Extract the "kid" field from the JOSE Header of the signature. Download the JWK which matches the key id ("kid") field in the JOSE Header of the signature. Use the downloaded JWK to verify the signature using your preferred library (for java the standard is jose4j) making sure that: ->> The following critical headers are set: "https://payconiq.com/iat", "https://payconiq.com/jti", "https://payconiq.com/path", "https://payconiq.com/iss", "https://payconiq.com/sub". It is important to confirm that the signature is valid before processing the callback. This is to ensure that the payment data returned has not been tampered with and has been processed by Payconiq.
Kasper
KasperOP2y ago
Thanks
Accord
Accord2y ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server