Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Ability to inspect body of signed JWT

See original GitHub issue

When attempting to read the body of a signed jwt without setting a key, an IllegalArgumentException is thrown. For example: Jwts.parser().parseClaimsJws(someJwtString).getBody().get("iss"). This makes sense, as it prevents users from ignoring signatures when they shouldn’t. However, sometimes it is useful to know some fields of the body before checking the signature. For example, if there are several possible issuers to a token, each with different signing keys or signature mechanisms. Addition of a method like parseUnsafe would grant the ability to inspect the body as well as alert the user (through the name) of the danger of the method. The user could then go back and parse the jwt as normal with signature checking.

Issue Analytics

State:
Created 8 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

4reactions

lhazlewoodcommented, Feb 10, 2016

int i = jws.lastIndexOf('.')
String withoutSignature = jws.substring(0, i+1);
Jwt<Header,Claims> untrusted = Jwts.parser().parseClaimsJwt(withoutSignature);

That should work until we figure out a way to (safely) make this available in the library.

1reaction

josebarruetacommented, Nov 20, 2015

With the JJWT library you can already do this in a secure way, by setting a SigningKeyResolver

SigningKeyResolver resolver = new MySigningKeyResolver();

Jws<Claims> jws = Jwts.parser().setSigningKeyResolver(resolver).parseClaimsJws(compact);

The signature is still validated, and the JWT instance will still not be returned if the jwt string is invalid, as expected. You just get to ‘see’ the JWT data for key discovery before the parser validates.

As small sample of how to use it and look for the JwsHeader and/or Claims:

Jws<Claims> jws = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
        @Override
        public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
            //inspect the header or claims, lookup and return the signing key
            String keyId = header.getKeyId(); //or any other field that you need to inspect
            return getSigningKey(keyId); //implement me
        }})
    .parseClaimsJws(compact);

Top Results From Across the Web

JSON Web Token Structure - Auth0

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the...

JWT: The Complete Guide to JSON Web Tokens

A Step-by-Step Guide for learning JSON Web Tokens, including signatures, single page web application User Authentication and Session ...

JSON web token (JWT) validation - Akamai TechDocs

This ensures the data in the JWT payload has not been modified by third parties. Your identity provider first signs a JWT by...

Testing JSON Web Tokens - OWASP Foundation

One of the most serious vulnerabilities encountered with JWTs is when the application fails to validate that the signature is correct. This usually...

JSON Web Token Introduction - jwt.io

Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as...