[Feature Request] RFC 7518 JSON Web Tokens (JWTs)

Hi folks,

I'm a software engineer working to help out with the Google Home Hubitat Community Integration. In particular, I'd like to contribute a few important features (Report State and Local Fulfillment).

These features depend on RFC 7518 JSON Web Tokens (JWTs). Google's version of JWTs requires support for RSA or ECDSA encryption, neither of which seem to be possible with the current Groovy bindings available to Hubitat apps.

I'd like to request support for JWTs, ideally with one of the existing Java libraries for JWT, e.g. jjwt, Jose4j, java-jwt, etc.

6 Likes

+1 for this request. JWT is a widely-used standard that is likely applicable to other apps outside of Google Home as well.

Even just whitelisting the java.security.Signature and java.util.Base64 classes for use by apps would allow JWT signing and verification. Including a full-fledged JWT library like jose4j would be ideal though.

2 Likes

I will add my +1 for this as well.

1 Like

I think Groovy might have support for Base64 as an extension on its bytes type (I can't seem to include links, but I found it on a web search for "groovy gdk base64").

No idea yet if that's filtered out or not. Regardless, we'd also need RSA or ECDSA signatures.

Maybe something @gopher.ny can consider...

2 Likes

Any thoughts on this, Hubitat folks? Should I repost this to the Developers category?

What use scenarios are you looking at?
We use Nimbus JOSE+JWT internally, but it will have to go through an additional security review if it is going to be exposed to apps/drivers. Which means it will definitely not be in 2.2.7.

2 Likes

Google's Smart Home APIs use JWTs to allow Hubitat to push updates to their servers (rather than requiring Google's servers to repeatedly fetch data from Hubitat). Google calls this API "Report State".

We'd like to add this push feature to the open source Google Home Community Integration, but the required RSA/ECDSA APIs are not exposed to Groovy right now.

Nimbus JOSE+JWT would be perfect for us. No rush on getting it into 2.2.7. Really appreciate you taking a look!

More folks are asking for the ability to have the open source Google Home Community Integration to be able to push updates to Google.

It'd be awesome if Nimbus JOSE+JWT could be added to the Groovy allowlist to unblock this.

Just wanted to bump this and see if there was any movement (hopefully it's moving up the list).

thanks

@gopher.ny

5 Likes

Release 2.2.9 just came out and has this in the release notes:

  • Whitelisted selected Nimbus Jose/JWT classes (PlainObject, JWSObject, Payload, JWEObject JWEHeader, PlainJWT, SignedJWT, EncryptedJWT, JWTClaimsSet).

It's super close to what we need, but there are two classes I think need to be added to the allowlist still:

  1. JWTHeader.Builder
  2. JWTClaimsSet.Builder

I wasn't able to find a workaround to use SignedJWT without these two classes being allowlisted. I also messaged @gopher.ny to thank him and let him know there were two classes missing from the allowlist.

Yay! I got things more or less working with Hubitat 2.2.9.131 and implemented the async Report State API using JWT authentication for the Google Home Community Integration:

It's still fairly manual to get the Service Account JSON from Google and convert it to the JWK format which the old version of Nimbus JOSE+JWK included in Hubitat needs.. but it's a start.