Comments (6)
robotdan
commented on August 28, 2024
1
See commit 4e5d4d0, added JWTUtils. decodePayload - will this work for you?
from fusionauth-jwt.
robotdan
commented on August 28, 2024
Hi @Ostico
I think you're asking for how to decode the JWT w/out validation?
In addition to your example code, you can also use this method:
String accessToken = authResult.getAccessToken();
JWT jwt = JWT.getDecoder().decode(accessToken);
This is using the varargs version of the decode method.
public JWT decode(String encodedJWT, Verifier... verifiers)
Using this method, when 0 verifiers are provided, we will allow you to decode the JWT w/out verification. This way we know for sure the caller is asking us to decode the JWT w/out signature verification.
Let me know if I haven't answered your question.
from fusionauth-jwt.
Ostico
commented on August 28, 2024
Hi @robotdan , i already tried without verifiers, but i get an exception:
io.fusionauth.jwt.MissingVerifierException: No Verifier has been provided for verify a signature signed using [SHA256withRSA]
From the code it seems that is not possible decode a JWT when parts.lenght != 2:
even if allowNoneAlgorithm is true:
private JWT validate(String encodedJWT, String[] parts, Header header, Verifier verifier, boolean allowNoneAlgorithm) {
...
}from fusionauth-jwt.
robotdan
commented on August 28, 2024
Ah, ok, I see what you mean. Yeah, you're correct, we don't offer a way to decode the JWT w/out verification (at least not easily).
Would it help if I added a utility method to decode the payload? Would you also want the header?
For example, something like :
String accessToken = authResult.getAccessToken();
JWT jwt = JWTUtils.decodePayload(accessToken);
This method would not perform any validation, it would only read the JSON and return a JWT object.
This would more/less do the same thing you're doing already:
byte[] payload = Base64.getUrlDecoder().decode( authResult.getAccessToken().split( "\\." )[ 1 ] );
JWT jwt = Mapper.deserialize( payload, JWT.class );
from fusionauth-jwt.
Ostico
commented on August 28, 2024
Yes, it is perfect. The header is not so important in my opinion.
Thank you.
from fusionauth-jwt.
robotdan
commented on August 28, 2024
Great, thanks for the feedback. I also added JWTUtils.decodeHeader if that is of use.
Released and available in version 3.0.2.
from fusionauth-jwt.
Related Issues (20)
- Add x5c and verify public key against x5c when extracting a public key from a JSON Web Key HOT 6
- io.fusionauth:fusionauth-jwt:4.0.1 has security vulnerabilities HOT 4
- README improvements
- Configurable timeouts on UrlConnection HOT 6
- Upgrade to Java >= 14? HOT 7
- Create a RSASigner.newSHA256Signer which supports PrivateKey instance HOT 2
- Wrong module descriptor HOT 10
- Will Grant Negotiation and Authorization Protocol (GNAP) working code be made available soon? HOT 2
- Embedding JWK does not yield an interoperable result HOT 3
- Overriding "configureMessageConverters" in spring HOT 2
- How to gen a jwk with kid? HOT 3
- 2047 vs. 2048 HOT 2
- Android 7 - Base64 NoClassDefFoundError HOT 1
- Decode expired JWT throws Exception HOT 2
- Best way to pull out "kid" to pick verifier? HOT 4
- Support Function<String,Verifier> for kid mapping HOT 2
- "The JWT could not be de-serialized." HOT 4
- Need Ability to Extend `Header` class HOT 2
- Fix padding on the EC signature when decoding `r` and `s` from the DER encoded value HOT 1
- thread safety
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fusionauth-jwt.