Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It is not possible to get the claims and the JWT parameters without verify #5

Closed
Ostico opened this issue Feb 21, 2019 · 6 comments
Closed

It is not possible to get the claims and the JWT parameters without verify #5

Ostico opened this issue Feb 21, 2019 · 6 comments
Assignees
@robotdan

Comments

@Ostico
Copy link

Ostico commented Feb 21, 2019
edited
Loading

A verifier is mandatory to get the access to the JWT fields, but if i'm in the client side and i want read informations from JWT is not possibile decode the payload without verification:

byte[] payload = Base64.getUrlDecoder().decode( authResult.getAccessToken().split( "\\." )[ 1 ] );
JWT jwt = Mapper.deserialize( payload, JWT.class );

some helpers could be useful.
@robotdan
Copy link
Member

Hi @Ostico

I think you're asking for how to decode the JWT w/out validation?

In addition to your example code, you can also use this method:

String accessToken = authResult.getAccessToken();
JWT jwt = JWT.getDecoder().decode(accessToken);

This is using the varargs version of the decode method.

public JWT decode(String encodedJWT, Verifier... verifiers)

Using this method, when 0 verifiers are provided, we will allow you to decode the JWT w/out verification. This way we know for sure the caller is asking us to decode the JWT w/out signature verification.

Let me know if I haven't answered your question.

@robotdan robotdan self-assigned this Feb 21, 2019
@Ostico
Copy link
Author

Ostico commented Feb 22, 2019
edited
Loading

Hi @robotdan , i already tried without verifiers, but i get an exception:
io.fusionauth.jwt.MissingVerifierException: No Verifier has been provided for verify a signature signed using [SHA256withRSA]

fusionauth-jwt/src/main/java/io/fusionauth/jwt/JWTDecoder.java

Line 171 in 5bd19a3

throw new MissingVerifierException("No Verifier has been provided for verify a signature signed using [" + header.algorithm.getName() + "]");

From the code it seems that is not possible decode a JWT when parts.lenght != 2:

fusionauth-jwt/src/main/java/io/fusionauth/jwt/JWTDecoder.java

Line 153 in 5bd19a3

if (parts.length == 2) {

even if allowNoneAlgorithm is true:

private JWT validate(String encodedJWT, String[] parts, Header header, Verifier verifier, boolean allowNoneAlgorithm) {
...
}

@robotdan
Copy link
Member

Ah, ok, I see what you mean. Yeah, you're correct, we don't offer a way to decode the JWT w/out verification (at least not easily).

Would it help if I added a utility method to decode the payload? Would you also want the header?

For example, something like :

String accessToken = authResult.getAccessToken();
JWT jwt = JWTUtils.decodePayload(accessToken);

This method would not perform any validation, it would only read the JSON and return a JWT object.

This would more/less do the same thing you're doing already:

byte[] payload = Base64.getUrlDecoder().decode( authResult.getAccessToken().split( "\\." )[ 1 ] );
JWT jwt = Mapper.deserialize( payload, JWT.class );

@robotdan
Copy link
Member

See commit 4e5d4d0, added JWTUtils. decodePayload - will this work for you?

@Ostico
Copy link
Author

Ostico commented Feb 23, 2019

Yes, it is perfect. The header is not so important in my opinion.
Thank you.

@robotdan
Copy link
Member

Great, thanks for the feedback. I also added JWTUtils.decodeHeader if that is of use.
Released and available in version 3.0.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robotdan robotdan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robotdan @Ostico