Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add jwt as a property of JwtExceptions

See original GitHub issue

When you try to parse the claims of a JWT, even when it fails validation, there may be instances where you would want to still read the claims.

Talking with @lhazlewood today, we came up with the following idea: adding the parsed JWT as a property of JwtException, so you could so something like:

try {

    Jwts.parser().setSigningKey(key).parseClaimsJws(compactJws);

    //OK, we can trust this JWT

} catch (ExpiredJwtException e) {

    //don't trust the JWT!
    String subject = e.jwt.getBody().getSubject();
    System.out.println("Error: " + subject + "'s jwt failed valiation")
}

This would solve the #86 use case.

Issue Analytics

State:
Created 7 years ago
Reactions:2
Comments:9 (3 by maintainers)

Top GitHub Comments

1reaction

runnermanncommented, Jan 2, 2021

Hello, We are running into the same issue while attempting to parse claims from an expired token. We need a way to ignore that a token has expired, and allow other exceptions to be thrown. This assists to ensure that a token is from the correct originator, and allows us to use it, along with other validation information, to refresh for that user. Thanks for all of the hard work on this.

0reactions

hertgcommented, Sep 29, 2022

@bdemers thanks for the idea, I think I’ll go ahead with something like that.

final String body = jwtString.split("\\.")[1];
final String jsonString = new String(Base64.getUrlDecoder().decode(body), StandardCharsets.UTF_8);
final JsonNode json = Json.parse(jsonString);
final long seconds = json.get("iat").asLong();
JwtParser parser = Jwts.parserBuilder()
    .requireIssuer(...)
    .setSigningKeyResolver(...)
    .setClock(new FixedClock(Date.from(Instant.ofEpochSecond(seconds))))
    .build();

Warning: For anyone that wants to use that code, be aware that the iat claim is an OPTIONAL field per RFC7519. In my case I can rely on the iat being there because the ID Token I’m parsing has marked the iat claim as REQUIRED. Also, this doesn’t work with encrypted tokens for obvious reasons 😃