问题
does anyone have any ideas why the :jwt in the following entry in our Weebly app manifest isn't being replaced?
"callback_url" : "https://www.mymobileapp.online/home/index?vendorId=Weebly&:jwt"
The incoming request I see is:
https://www.mymobileapp.online/home/index?vendorId=Weebly&:jwt?user_id=62581379×tamp=1479434021&site_id=163706648712782041&hmac=...our_hmac...&version=1.0.0&callback_url=https%3A%2F%2Fwww.weebly.com%2Fapp-center%2Foauth%2Fauthorize
so, as you can see, the ':jwt' is still there, and Weebly is appending it's querystring operand and parameters after it.
I've read the "Configure the Manifest for OAuth" section on the page below, and as far as I can see I'm configuring the manifest correctly. What am I missing?
https://dev.weebly.com/configure-oauth.html
回答1:
You may have figured this out, by now, but your callback_url should NOT have the :jwt in it to begin with.. Problem solved ;)
If the user can manage the App/Settings, then you would use manage_app_url. And on the page of your website that you have set for the manage_app_url you would then listen for jwt. (then you can also use "oauth_final_destination" : "manage", if you want them to end up on your site after the install) See: https://dev.weebly.com/how-users-manage-your-app.html
**EDIT See also: https://dev.weebly.com/sso-with-jwt.html **
So for example, with PHP, on the manage_app_url page of your site you would do:
if (isset($_GET['jwt'])) {
$app_client_id = "Your APP ID";
$client_secret = "Your APP SECRET";
$jtw = $_GET['jwt'];
/**
* You can add a leeway to account for when there is a clock skew times between
* the signing and verifying servers. It is recommended that this leeway should not be bigger than a few minutes.
* Source: http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#nbfDef
*/
try {
JWT::$leeway = 60; // $leeway in seconds
$decoded = JWT::decode($jtw, $client_secret, array('HS256'));
if (!empty($decoded)) {
$decoded_array = (array) $decoded;
// Continue with your websites code to verify the Weebly users info
}
}
} // END IF ISSET JWT
回答2:
Although this response is correct, I think the original post was off as its the manage_app_url that uses the :jwt
I had the same issue, but discovered that it does not work when installing as a draft app, however, accessing the "manage app" link thru the app interface and it is correct. ie., the :jwt is replaced with the proper url.
Sop the issue is in the installing of a draft app, and not in the actual managing the app thru the front facing interface
回答3:
Jeffery, you are absolutely correct sir. I am only adding this as an answer to expand upon yours with some additional security recommendations Weebly considers best practice.
The primary use cases when developers need to implement the JWT "JSON Web Token" are (see links in Jeffery's answer above for more details):
- Providing user-contextualized data for Weebly Apps dependent upon configuration/setting parameters to be defined/stored/manipulated outside of Weebly (external services)
SSO(Single-Sign On) support
Two Ways the :jwt is included in the URL
Your Weebly App manifest.json file(s) may contain URLs that trigger Weebly to provide you a JWT:
manage_app_urlelement.settings.config.external.url- Dashboard Card Link Components -->
dashboard_cards.link||dashboard_cards.default[{{SOME_COMPONENT}}].link
Developers can define the position of the JWT in these URLs using one of two approaches:
- IMPLICITLY DEFINED: Weebly automatically appends the JWT string to the developer-defined URL (and any appropriate operands such as & or ?)
- EXPLICITLY DEFINED: Indicated by using
:jwtat any valid location within the URL values you provide in yourmanifest.jsonfile
Production Security Best Practices and Considerations
Using the decode method of the PHP library above is handy and quick during development, but when developers are ready to publish their Weebly Apps to the App Center, you will want to include the maximum security possible.
- Request Scheme Invalidation: Verify the scheme of the inbound request is using
https - Request Domain Invalidation: Verify the
headers.hostof the inbound request contains the validweeblydomain and.comTLD (since requests containing the JWT should only ever come fromhttps://www.weebly.com - Auto-Reject Tokens with Mismatched Signature Types: Some JWT libraries do not auto-reject tokens if the signature type is mis-matched, which allows hackers to forge requests in these case read this document from Auth0 for more information
- IP Address Max Requests per [TIMEFRAME]: To prevent brute-force hacking or DDOS attacks on these URLs, you may want to include functionality that automatically caches multiple requests within a specific timeframe. This should be a relatively high-value in a short-period of time, since humans can have request performance limitations in valid use-cases.
While the above content about security is not currently part of official Weebly documentation, I have submitted an issue to include it in the future.
Also, I saw that we recently moved content and did not include the 301 redirects for the URLs referenced in the original question or Jeffery's answer. We just fixed that so your links work properly.
I hope this helps and the information is valuable for you.
来源:https://stackoverflow.com/questions/40668548/im-developing-a-weebly-app-why-is-the-jwt-in-the-following-entry-in-our-mani