Add JWT (JSON Web Token) support

[InsightGit]

Describe the project you are working on:

A creative multiplayer shooter with separate custom back-end apis written in Python and the game server + client written in GDScript.

Describe the problem or limitation you are having in your project:

When I communicate between my game server and my backend servers, I'm using JWT now, albeit in a sort of hacky way partially in GDScript and partially in Python (see If this enhancement will not be used often...) that assumes that python is installed on the machine with the requisite JWT library (and thus is only feasible to implement on systems I control like my server).

Describe the feature / enhancement and how it helps to overcome the problem or limitation:

It would get rid of the need to call an external python script server-side and handle JWT claims purely in GDScript, and allow me to parse/create JWT tokens client side.

Describe how your proposal will work, with code, pseudocode, mockups, and/or diagrams:

If I were to implement this, I'd most likely write a wrapper around an existing C or C++ JWT API like libjwt or something if possible(I haven't worked in the Godot codebase enough to register whether it is). I would probably have one class similar to how the existing JSON class works where there would be two static functions. One of which would decode (with verification being done by default) a JWT token given the token, the JWT algorithm being used (ie RS256 or HS256) and the secret/public key, and the other of which would create such a token with similar parameters (except it would take a Dictionary and spew out a JWT token in the form of a String).

If this enhancement will not be used often, can it be worked around with a few lines of script?:

Yes, but not natively in GDScript. For example, what I am doing right now is executing a separate python script on the server using OS.execute funnelling in the JSON data through command-line arguments and then extracting the JWT string via the command line. It works, but is a bit cumbersome and only works on systems that have Python and the requisite JWT library installed.

Is there a reason why this should be core and not an add-on in the asset library?:
It would pair well with JSON and serve as an easy way built into the engine to quickly exchange information that's verified to come from a trusted source, and thus could even possibly be used for passing serialized Variant objects over the network in a trusted and secure way.

[bojidar-bg]

From what I can see, general-case JWT can be implemented using:

• JSON serialization (to generate the header and payload)
• Base64URL encoding (to encode the header and payload)
• String concatenation (to concatenate the two with a dot in the middle)
• SHA256-HMAC (to compute the signature, which is later concatenated with the rest)

There are some extensions which allow for using another function for signing the data, such as RSA+SHA256 or ECDSA+SHA256 or many others (e.g. based on other SHA functions).

Since the signature is generated and validated by the same entity, the server, JWT support does not need to include all of those algorithms.

---

JSON serialization and String concatenationare already present in the engine and exposed to GDScript.

Base64URL encoding is not implemented in Godot, though Base64 encoding is. The only difference between the two is that Base64URL uses - and _ instead of + and /, and removes the padding of = signs at the end. Similarly to what is typically done in JavaScript, one can easily use Base64 and string replacement to get Base64URL-encoded data.

The main missing link would be HMAC (#1098), RSA (already exists as CryptoKey, no proposal to allow signing data), or ECDSA (not implemented yet, no proposal either). In addition, SHA384, SHA512, or their HMAC variants could be used to cover the optional cases in RFC7518.

[fire]

I had problems in my jwt implementation requiring random numbers, so that functionality was added.

[fire]

oidc.txt

This is my older sample that uses powershell, but random number generation was added.

[Faless]

Additional notes: Crypto.generate_random_bytes can be used to generate cryptographically sound random bytes, Crypto.sign and Crypto.verify has been added via godotengine/godot#39755

[jonbonazza]

This is too out of scope to be in core imo, however it would definitely be a useful plugin, without a doubt. As mentioned, once HMAC is in there, you shoukd have everything needed to implement this in gdscript.

[Faless]

This is too out of scope to be in core, however it would definitely be a useful plugin.

Agreed, and tbh it should already be possible to implement HMAC in GDScript too, but having that as an easy to use function Crypto.hmac (or probably its own HMACContext class) would be nice. I'm just afraid of bloating the engine a bit with functions that could be done in GDScript.

[jonbonazza]

Update on this, PR for HMAC is up. Going to begin working on a GDScript addon for JWX (JWTs, JWKs, JWE, and JWS, etc...)
It will be 4.0 only though, at least for now, unless the Crypto PRs somehow get backported to 3.2.

It will also only support RS256 and HS256 as signing algorithms as those are the only ones we have support for in the Crypto apis.

[martijnbolt]

cool. does this work when exporting to html5?

[jonbonazza]

cool. does this work when exporting to html5?

It should when it's finished, yes.

[Faless]

HMAC support is implemented in master, and backported to 3.x (3.4 beta). Specific JWT implementation should be done as a GDScript addon.