How can I get Claims from a JWT?

java jwt jose4j
Chaos Rules picture Chaos Rules · Feb 7, 2017 · Viewed 11.4k times · Source

I need to extract claims from a JWT.

It seems that this should be a no-brainer.

It was signed, from the header I get:

{
  "alg": "RS256",
  "typ": "JWT"
}

JWT:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJtYXJrLnN0YW5nQGRoaWdyb3VwaW5jLmNvbSIsInNjb3BlIjpbIm9wZW5pZCJdLCJyb2xlcyI6WyJKT0JTRUVLRVIiXSwiam9ic2Vla2VySWQiOiJ3TDFkTWdQckZWOUl5dEZZIiwiZXhwIjoxNDg4Mzk1ODE5LCJhdXRob3JpdGllcyI6WyJKT0JTRUVLRVIiXSwianRpIjoiNWRiYjNkYzQtNGI3NC00MDYyLTgzMmQtYjE1MTgwYWZhZjllIiwiY2xpZW50X2lkIjoiZWZjIn0.NxiF4x39na3KdDUFz2zxqy1zSfJkj4FdKHflpgJUxzMgBq8bbJIFVkmwAUYA6_YXm6kGFcyTMgdiRIJpqc5buDPdV1vkzh4QKFTxMz9MF4i3vtIQ21Vm5W12KikWdWGGUXMD4udJwu7rmuIBtNIa-ciZOPADNrrXfuw7iML1xxAA-C0f4OTbiKqiXr3QEUZwcqZB17qfh_dVRRxgO-_uHUg84JDcpXEDQPzPWX68u1EHH4J6IcpMKn1VY9k3RcZU6pq-ndzQgBlKdVm2owA6i-UM9p1zSz7ZX_2wx0czEEcNF1rMdeIv5yxP9YEpWb14-GUG4qgpn_rAIQBJ7eu7xw

It decodes on the jwt.io site just fine, but since I don't have the "secret" key, it comes up as "invalid signature". Which is fine, I am not trying to validate it.

All I want is the claims but when I use a Java library to decode it I get nothing but errors.

If I decode it manually (i.e. split/base64 decode) it is fine.

So, what am I doing wrong with the Java libraries?

Answer

cassiomolin picture cassiomolin · Feb 7, 2017

Once the question is tagged with , I understand you are using jose4j for parsing JWT tokens.

In this situation, you can invoke setSkipSignatureVerification() from the JwtConsumerBuilder. It allows you to parse the claims without validating the signature:

JwtConsumer jwtConsumer = new JwtConsumerBuilder()
                                  .setSkipSignatureVerification()
                                  .build();
                                                  
JwtClaims jwtClaims = jwtConsumer.processToClaims(jwt);

Related questions

Parser exception in JWT when encryption and signing is enabled

I'm new to JWT, learning through standalone code to understand JWT API's. Below code sign and encrypt JWT token from sender's end and it get validated at receiver's end. Library: JOSE 0.4.1 package com.one00bytes.jwt; public class JWTSignEncryption { public …

Read More
How to make HMAC_SHA256 key from secret string to use it with JWT in jose4j?

I want to produce JWTs and sign them with HMAC_SHA256. For that task I must use jose4j. I have tried to generate key based on secret with: SecretKeySpec key = new SecretKeySpec(("secret").getBytes("UTF-8"), AlgorithmIdentifiers.HMAC_SHA512); but …

Read More
How do I decode a JWT token using an RSA public key in PEM format?

My Java application is receiving a JWT. I have the public key in PEM format: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAixn0CGu8/M4txn4pdp8K m8RQfVa+cHX25/a5sPmzP49u7YlQsRvtOexzgdwDcfUJm3hHMZcbZBtrHKsS8q4Q QtGQioyVml8EaLuFNFYisaIEldVyRbXFG54FNp03…

Read More