jwt and weebly oAuth

Question

I am following the docs at weebly to configure-oauth

But, adding the :jwt to the manage_app_url does not work. The token is never replaced with jwt, its simply appended to the end as usual - leaving the token also as a part of the url.

ie., doing this in the manifest.json "manage_app_url": "https://www.example.com/thepage.php?manage=yes&jwt=:jwt",

Returns: https://www.example.com/thepage.php?manage=yes&jwt=:jwt?thejwtstring Token is never replaced...

Anyone know why doing what the docs say doesn't work? What am I doing incorrectly?

score 0 · Answer 1 · edited May 23 '17 at 12:34

I'm quoting from https://stackoverflow.com/a/40920748/3925032 but answering here because the questions aren't quite the same.

You don't need :jwt in the Manifest. On the page of your website that you have set for the manage_app_url you would listen for jwt because, as you noted, it gets appended to it.

*You can also use "oauth_final_destination" : "manage", if you want them to end up on your site after the install.

{
  "manifest": "1",
  "version": "1.1.1",
  "client_id" : "123456789101112",
  "callback_url" : "https://www.your-domain.com/callback.php",
  "scopes": ["read:site", "write:site"],
  "manage_app_url": "https://www.your-domain.com/manage.php",
  "oauth_final_destination" : "manage",
  "locale": {
  "default": "en-us",
  "supported": ["en-us"]
},
"webhooks": {
    "callback_url": "https://www.your-domain.com/webhooks.php",
    "events": ["app.uninstall", "site.publish", "site.delete"]
},
"snippet": "files/assets/snippet.tpl"
}

On the manage_app_url page of your site you would do:

require('firebase/src/JWT.php');
use \Firebase\JWT\JWT;

if (isset($_GET['jwt'])) {
    $app_client_id = "Your APP ID";
    $client_secret = "Your APP SECRET";
    $jtw = $_GET['jwt'];

    /**
    * You can add a leeway to account for when there is a clock skew times between
    * the signing and verifying servers. It is recommended that this leeway should not be bigger than a few minutes.
    * Source: http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#nbfDef
    */

     try {
       JWT::$leeway = 60; // $leeway in seconds
       $decoded = JWT::decode($jtw, $client_secret, array('HS256'));
       if (!empty($decoded)) {
           $decoded_array = (array) $decoded;
           // Continue with your websites code to verify the Weebly users info
           // $decoded_array['user_id'];
           // $decoded_array['site_id'];
           // $decoded_array['iat'];
           // $decoded_array['jti'];
           // $decoded_array['callback_url']; 
       }
     } //END TRY 
     catch (InvalidArgumentException $e) {
        echo $e->getMessage();
     }
     catch (UnexpectedValueException $e) {
        echo $e->getMessage();
     }
     catch (DomainException $e) {
        echo $e->getMessage();
     }
}// END IF ISSET JWT

score 0 · Answer 2 · answered Jan 29 '17 at 15:44

Unfortunately your not actually understanding the question. It is not a matter of if the :jwt is needed, but rather that it appears not to work as documented.

The answer to this issue is this: It does not work when installing as a draft app, however, accessing the "manage app" link thru the app interface and it is correct. ie., the :jwt is replaced with the proper url.

So the issue is in the installing of a draft app, and not in the actual managing the app thru the front facing interface.

The documentation is correct for the end result, but not for installing as a draft app. This is the actual documentation....

NOTE: Weebly automatically appends the JWT string to the end of the URL, including any necessary operands (like ? and &). If you want the JWT to be placed in a specific part of the URL, you can use :jwt, and Weebly will replace that with the JWT (without adding any operands - you'll need to include those).

score 0 · Accepted Answer · answered Apr 10 '17 at 11:24

Bill, You're right, It's a problem from weebly so you cannot fix it. :jwt replace fine when someone clicks to Manage link from App manager menu but it don't replace well when it comes from OAuth process.

I faced the same issue couple of days ago and simply removing the :jwt and letting weebly to append it at the end of URL works for me.

I hope it work for you as well otherwise I suggest you to contact dev support of weebly at dev-support@weebly.com and report this problem.

jwt and weebly oAuth

3 Answers3