Generating JWT’s for Azure in Apex

Lately I’ve been playing around with Azure and integrating Salesforce and Azure. One of the integration patterns calls for using Json Web Tokens (JWT) that you can the exchange for an access token in Azure. There is a catch however…

Since Azure requires that the thumbprint of the certificate be added to the header of the JWT (using the key “x5t”) we cannot use the built in support for JWT in Named Credentials as there are no provisions for custom header key/values. The JTW/JWS classes in Apex cannot be used either as we cannot customize the header there either. Building upon https://github.com/salesforceidentity/jwt I’ve created https://github.com/lekkimworld/azurejwt-apex that bridges the gap.

This allows you to build and sign a JWT that you may exchange for an access token using your tenants OAuth token endpoint v.2 in Azure. Example Apex code is like this:

// declarations (because I'm old school)
final String azureClientId = '88d888a5-0cf4-473a-b9a0-7c88e6fc888e';
final String azureTenantId = 'b34feb2b-132f-4322-af1d-c888f5d888d0';
final String azureCertThumbprint = '4rElsDFTysrbKhB0zTsrRNSxT6s=';
final String azureScopes = '5384888d-868f-442b-b1b3-8688807de914/.default';

// create JWT with certificate from keys mgmt and set the x5t in the header to the 
// thumbprint of the cert as expected by Azure
AzureJWT jwt = new AzureJWT();
jwt.cert = 'JWT_Callout_Certificate';
jwt.iss = azureClientId;
jwt.sub = azureClientId;
jwt.aud = 'https://login.microsoftonline.com/' + azureTenantId + '/oauth2/v2.0/token';
jwt.x5t = azureCertThumbprint;

// invoke the flow and obtain an access_token
final String access_token = AzureJWTBearerFlow.getAccessToken(azureClientId, azureTenantId, azureScopes, jwt);

// use the access token against a Function App in Azure
HttpRequest req = new HttpRequest();
req.setEndpoint('https://foo-functions-demo.azurewebsites.net/api/MyFunction?name=Salesforce');
req.setMethod('GET');
req.setHeader('Authorization', 'Bearer ' + access_token);
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());

In the https://github.com/lekkimworld/azurejwt-apex Github repo you will find the two Apex classes from the above example together with the example code.

The certificate thumbprint (bold above) isn’t the regular SHA-1 thumbprint but is a special hexdump/base64 encoded edition. To make it even more interesting the thumbprint displayed in Azure Portal is not the thumbprint we need. The thumbprint/hash may be computed this like (gleaned from https://stackoverflow.com/a/52625165):

echo $(openssl x509 -in yourcert.pem -fingerprint -noout) | sed 's/SHA1 Fingerprint=//g' | sed 's/://g' | xxd -r -ps | base64

Ribbon IDE for Lotus Notes?

As you know Lotus Notes is built on Eclipse so following Eclipse plugins and projects makes a lot of sense from a platform point of view. Surfing the other day I stumbled over an Eclipse project that provides a Ribbon IDE for the Eclipse platform. It makes your mind wander to Microsoft centric but it might make sense for other applications incl. Lotus Notes.

For more info see “Eclipse plug-in sightseeing: Ribbon IDE / Eclipse”. There’s also a PDF showing it off.

Microsoft MIX10 vs Lotusphere

With all the talk we have been having around Lotusphere presentations and the availability of session presentations and video afterwards it’s strangely refreshing to see how Microsoft approach their MIX10 conference which was just held in Las Vegas. If you go to live.visitmix.com/videos you are able to download all presentations and download or stream all sessions as video (WMV for HD and h.264). They even provide a downloader to download all the contents in one go.

How do you like them apples?

Rearming Windows Vista

While cleaning up today I found an interesting piece of information in the Microsoft Action Pack material. It appears that the 30 day grace period of Windows Vista can be extended to 90 days by rearming the installation (you should also disable auto-activation during the installation). This is great for testing purposes.

To rearm Windows start a command-prompt with admin. privileges and run

cscript %windir%system32slmgr.vbs -rearm

The script can also be used to active Windows using the -ipk switch followed by the 25 digit activation code.

Ahhh – there is of cause the Microsoft (proprietary) solution

As mentioned
yeasterday
I have been reinventing the wheel and (re)writing XPath 2.0 functions as named XSLT templates since the MSXML 3 in Internet Explorer 6 isn’t XPath 2.0 compliant. As always there is however a Microsoft proprietary solution using the urn:schemas-microsoft-com:xslt namespace. This namespace adds support for a number of utility functions as mentioned in the “Microsoft XPath Extension Functions“-article over at Microsoft Developer Network.

You have to be running MSXML 4 for this namespace to work however which means that even the proprietary solution isn’t workable for me since MSXML 3 is the default for Internet Explorer 6.

While researching this subject I found that MSXML 3 (or 4) isn’t the newest version. There is a MSXML 5 (only used with Office 2003) and a MSXML 6 (supplied with Visual Studio 2005). Even the newest MSXML 6 doesn’t however support XPath 2.0. The supported API’s in MSXML 6 is:

  • XML 1.0 (DOM & SAX2 APIs)
  • XML Schema (XSD) 1.0
  • XPath 1.0
  • XSLT 1.0

Come on already – please implement the standards!