function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Example of OAuth2 signature validation

The article Digging Deeper into OAuth 2.0 on describes being able to validate the ID field was not modified. I'm trying to understand better how to perform that validation and am wondering if there are any examples. I didn't see any in the getting started guide.



Best Answer chosen by Admin (Salesforce Developers) 
Pat PattersonPat Patterson

As the article explains, the signature is a "Base64-encoded HMAC-SHA256 signature signed with the consumer's private key containing the concatenated ID and issued_at.", so to validate you would do something like:


import javax.crypto.Mac;
// Using Apache Commons Base64 encoder here - any base64 encoder should do import org.apache.commons.codec.binary.Base64; // ...
Mac m = Mac.getInstance("hmacSHA256"); m.init(clientSecret);
String stringToSign = id+issued_at; byte[] macBytes = m.doFinal(stringToSign.getBytes()); String macString = Base64.encodeBase64(macBytes); if ( macString == signature ) { // Signature is good } else { // Data has been tampered with! }