New to JWT
I want to verify my string token which is generated as below
String productkey:which is signed and encoded format.
String publickey:Generated key from simmulator and store as string
JWSVerifier verifier= new ECSDVerifier(ECKey.parse(publickey))
Boolean test=verifier.verify(productkey);
Please suggest which appropriate method I have to used.
If you are new to JWT, I would suggest you to use JJwt API. You can easily sign your tokens and verify them.
Snippet to generate JWT token:
Jwts.builder()
.setClaims(payload)
.setExpiration(expiryDate)
.signWith(SignatureAlgorithm.RS256, privateKey )
.compact();
Snippet to verify the token with public key:
Jwts.parser()
.setSigningKey(publicKey )
.parseClaimsJws(jwtToken)
JJwt Maven/Gradle link
Hope this helps.
Related
This question already has answers here:
Why JSON Web Token (JWT) Decrypt with out knowing Secret Key
(2 answers)
Closed last month.
this is a simple function to create jwt token based on id
createAccessToken(id: string) {
const token = sign({ id }, process.env.JWT_SECRET, { expiresIn: '1d' });
return token;
}
now when I give the token to https://jwt.io/ without specifing the secretkey the website can still decrypt it
how can this be possible?
JWTs are not encrypted, but basically just base64 encoded, cf. RFC 7519.
As you can see on https://jwt.io/, you need to provide the secret key if you want to verify the signature.
I use the /auth/realms//protocol/openid-connect/certs endpoint and hardcode the x5c public key returned from this endpoint to try to get this code working (wrapped in BEGIN RSA/END RSA tags) like so:
let x5c = "MIICnTCCAYUCBgF9TkI2ijANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdldmlkZW5zMB4XDTIxMTEyMzE5MjMyMVoXDTMxMTEyMzE5MjUwMVowEjEQMA4GA1UEAwwHZXZpZGVuczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALgx8kfUyhUz6146LcXJHykE5d/kfkJGHZ1+AH4wfk0Z1rGeNqRUH7bllutre2xrq/EfuKGkuUul8uf7WH3GTyOFJyr1MECnzilYdN8onobpVHXr3SwANCACMsh6tFc6oiQT0XEt1ovzTzB6vxA6qmmsdLPG9giJ9eNqJNHHQiIJosF3yBBoNFDiQDonRNdWNQz5JVxbsdIOhFrdD+mDU0ry9FIs6qMAvD84QVBOzJr/IOCdSy3bfWYyAUsLHqoJbytAzl5EgjVSU2UT+HLs7M2wfZoRGITztmvkcPjqd7PnSOuuAimonwP7uKHtvG+edRabyHaBDSemEA1LUs7+FGkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAIh4QCe6Y3fJtDV6nBi/E3CGo/SIjDCmNnOV413QtmwODZSWFqo6pxs2fJoDb8jIkTf+l8/bI+mKEesXK1CptBpXXyo7Il0jhk5M0c1VT7EkLa/jkVFNr0CoB3UmH56/29Qp8+Xr8TaejGjgS8HoxAMpSFrtjPlKElCcy8dVQgRMxFonry5Iipd4vutc8Afe/GLzJew0IJ5Az1VUum3bJD0IfeecB8F+YOMmaET0oJIQyfdUxVI985Ui30q4K8/p34+WqwvNy2x4vuulvDVRBsHG64PStzhqZQfsfi59lOps4WvYlQ1JEHTu3acZMyTzij6wrVTAFoh1C3FptZ0wPoQ==";
let pemEncoded = `-----BEGIN RSA PUBLIC KEY-----\n${x5c}\n-----END RSA PUBLIC KEY-----\n`;
const payload = verify(token, pemEncoded, { "algorithms": ["RS256"] }));
But I don't think I've got correct PEM and I've been at it all day trying to find how to setup this certificate for verification. The error says "error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag". The token is valid, but it doesn't like my certificate. Any idea what I've got wrong here?
What's the correct way to pass this certificate to the jsonwebtoken.verify method in this case? Thanks!
That is certificate, so:
let pemEncoded = `-----BEGIN CERTIFICATE-----\n${x5c}\n-----END CERTIFICATE-----\n`;
I configured Hydra to return JWT in access_token (STRATEGIES_ACCESS_TOKEN=jwt). Pasting the resulting token[1] in jwt.io works—it's decoded successfully and the data looks right. Now I want to verify the signature.
So I open http://localhost:9000/.well-known/jwks.json and extract the public RSA keys[2][3], but none of them works—jwt.io gives me "Invalid Signature".
FYI the same error is also thrown by FusionAuth JWT library. My Scala code to get the keys:
private val hydraVerifiers = {
val keys = retrieveKeysFromJWKS("http://localhost:9000/.well-known/jwks.json")
keys.asScala.map(JSONWebKey.parse).map(_.asInstanceOf[RSAPublicKey]).map(RSAVerifier.newVerifier)
}.toSeq
(If you're not familiar with Scala/FusionAuth, the code above retrieves keys from a URL, parses them to java.security.PublicKey object, and creates JWT verifiers based on the public keys)
Any suggestions?
[1]
eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzpjMzQ5NWJkMC0wZDFhLTRiOWMtOWZhNy1hZjE5ZWNlODMxMTEiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOltdLCJjbGllbnRfaWQiOiJpZC5ldmVyeS5leHQuc3RlYW0iLCJleHAiOjE2Mjc3NTI0ODEsImV4dCI6e30sImlhdCI6MTYyNzc0ODg4MCwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo5MDAwLyIsImp0aSI6IjAxNjRkMzk4LTY4OWQtNDUzZi05YmMxLWVjYTgyMGJkOWY1OSIsIm5iZiI6MTYyNzc0ODg4MCwic2NwIjpbImVpZC5leHRlbmQiLCJvZmZsaW5lX2FjY2VzcyJdLCJzdWIiOiIweDMyY2ZkMSJ9.h2XUovsF7e5OI60BnKakbHVQJoNJmxQSsmLMy2MxyxFHQ4VMDdISPbkJVD5fsPCdLVw3RcggSid8S7fHJpDWqgJD0UP1WZBqlYN6E2FYs25QRsn8tvOlb9RqDAq1sqhSA1DhPCSsg0OB37gqQq4M8TjYfH0gqrj6oiU9YvgvlKU2Q7uaXfUjxWNkW_6KCZsdUSAGsHtIT18BWudcry7xafVsbrSdp7HkdRhbbdGCh9-q7lTWx6dJB5gOUTI4TYWCzOZnos48NilIhrk_sZ6V7qk6cxkmGVQflQZ9sLmHGewY6IF7j5OKBDcl-fNGfOyvhn2HkTGzTb_H1uB4dxm1NkopPf4dQHU4A63CnoJLqS_Rhg7aYvdcSyJTtiEGXOQjApP9QkawePsd7JYlSHE7XvYxW7frM0VVO04Fu8HjftMliYKXHct0w9bVeykwRGF_m63VGaain0DjE6H5UKLNdNQvg5r4Azu-hBiR5sH5cL6j26ffEx_P-XnIK5cHyX2A9GHk9V_p6_SiLtKpEuKO4sZPBU4zc6z0J1_aFn-AAtFRpKvHKAfUNCnVacEkXO4k6EfJ3qLkrF2KNIfYCqcTTFl8tPdmbb_n020xdCZNpVKPW_G9qRqpf7okwx9ppGO6OD__uIXNEOcuKD-9pVk2qsdl4RqHAvVO6GNurbcAXQU
[2]
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx33RsetBbPDnYSTJh6Y8esAxiqkWV5pawNUXoDvqZ46lPm1B2tTC0JDlpF5YmuoMEPIqFJJ5BiJpo8CN+5CGDnxSFfiamRomCa2ij6s+XmcPAC41POwpQn0+ijHd/wjh/lEFl+w6xhNhDoLTjxDYIDS8OQ5EhYH8vnHrNnOeh3X7f9kLC00M1S8f0uxbEzjqsfRjSUghIAn8NB3u/wj5/1G++guXDv8WRjadAWjzIhUy9MERIdhK6Mitp9xwPyXLFCQViYLeq9gTGYUqh4G9LzHPAlJW9qWwNM5ij3K+X4Qeu9jJaHCL2ZPywkSkoa6veDjnFs7uS695FqM+5NGyEWPeriCJ1zkL2n8PiGRDSk9jFlQi93+BFyIfUkTPD32CfLV5dYs+a3vV5Uy3cxC+JgxnqVlXY7k3MoaxU08oOMOuGNdCG9RoTtWuERtLa4wkGCKwfdnMzwhWQzKhQGPGRUTq+CxI4WCghfBfqBef74bldmmH/t42FfuCjWvVi6PlDi0YJtixrayJeVBy89dp0Xh1O+g4S9KRx5O1hiJPSNz6Q5O8lHSp4naQhsCGA53JoFofZSj9nBrL6o/Vlh0RPX0c9I2rpPr8YPGC3pxPvbMeP34hbW15F6JSSA9gACc+A2RYWhgZbR2QojJLhhQggSaWZ0g9TF+XG8WQsLISHDUCAwEAAQ==
[3]
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0+Xpe52O+qFGT4WHoJ2bsIC7/Vb51RulDKx/kNNchoERh1pg4TRL2WjXW7CK72CMz7cpNfsuxeC0RXLRMU+aAXyrsWkVm9u0IZsruOHOFjOeWFlqI5ZdnnkHYaH3GQhfXUcnJFQGHpzTn1hWlGT2UWuuSxqYcQ/SUeD7r5rvzOSAPAztLTAzsMmMrDPRz9KWDpmhLPh32WE903eooLAYsneNkGBvaWbc3PF+39P+5z730pWjgaeDsFHJug9c34AxmWP3NfudguW6/Ud9GR250iBHqPBcInafry9orWb+qndWXZLv74gCxovxdA0xuJnO+P/KeYZ5fCI4Lv8VT8H8ascy4LenUjyoR9dUsLpvOyYjNg7qPfZFyi0fN/feyh5M4MAkqPi3MmLzYWI9vlzmUBSzJ8TxHoonBHYIHwjif3ovRavmDSsuEQ2iZcz7P27hx569B50a66VUcXJVxoxSOgsjBD/WG6d97ACftZUaZxYk1SUrp5KGL1qoOlKGTDuIlJjP87/0Rg2TBMR8a6EdofSpAVC1RvB1AXupMK6xfMCRJzMAv4O54Y7esCT6u1hE/z9toQ5ArUPTg+rdskXg9eEQUaIykjJaxaFtzayCyhWFHBqdusZIDcU5e8lRaCzBXfMiXrlGj1E0wviynwfVf+Q8X/HZBXhEtlCfOm6ESe8CAwEAAQ==
I have a problem with JWT. If someone decompiles my APK, they can see the secret code I used to create my token. Example code, the code is secret:
String originalInput = "secret";
String encodedString =Base64Utils.encode(originalInput.getBytes());
String jwt = Jwts.builder().claim("emailId","test123#gmail.com").claim("user", "123456")
.claim("phoneNo", "1111111111")
.signWith(SignatureAlgorithm.HS256, encodedString)
.compact();
As there are a client (the APK) and a backend, you should use an asymmetric algorithm such as RS256, PS256 or ES256, not a symmetric one (HS256).
If the issuer of the token is your backend, you only need the public key on client side (your APK). This key can safely be shipped as it is public.
If the client is the issuer, key should not be shipped with your application but generated on the device and securely stored using the Keystore API (https://developer.android.com/training/articles/keystore). The associated public key should be sent to the backend. This means that each client has a uniquely generated private key.
I'm writing backend microservice that receives requests from front-end which have Authorisation: Bearer ... header, with token obtained from keycloak (which is inside docker container).
I got the RSA public key to verify the signature of that token from Keys section of realm settings, but it seems that when container with keycloak restarts, it regenerates pair of keys, and my public key set in service config becomes invalid.
What is the proper way to work with RSA public key from keycloak? Is there some way to configure it to use a fixed pair of keys for realm? Are keys exported when realm exports? Or I have to get the public key from keycloak using url like http://keycloak:8080/auth/realms/:realm_name:, which I rather not to do because this adds a dependency between keycloak and backend.
You should verify the JWT token's signature based on the issuer identity server's /.well-known/jwks endpoint.
1) Query the issuer identity server's /.well-known/jwks endpoint (JWKS stands for JSON Web Key Set)
2) From the JWKS, get the JWK (JSON Web Key) with the same kid (Key ID) as the Bearer token we are verifying. To get the kid from your JWT token, first decode it using jwt.io's Debugger tool.
3) As long as identity server-issued tokens are verified with an asymmetric cryptography algorithm (e.g.: RS256), we can verify the signature with the Public Key only (so you won't need the Private Key)
4) The Public Key can be retrieved from the JWK (it is the x5c entry in the JWK JSON )
5) Verify the JWT Bearer token's signature with this Public Key.
For example, in Java you can verify it like this:
// verify JWT signature based on Access Identity's JWKS RSA public key (RS256)
try {
Jwk jwk = new UrlJwkProvider(new URL(issuer + Constants.JWKS_ENDPOINT)).get(decodedJWT.getKeyId());
final PublicKey publicKey = jwk.getPublicKey();
if (!(publicKey instanceof RSAPublicKey)) {
throw new IllegalArgumentException("Key with ID " + decodedJWT.getKeyId() + " was found in JWKS but is not a RSA-key.");
}
Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) publicKey, null);
JWTVerifier verifier = JWT.require(algorithm)
.withIssuer(issuer)
.build(); //Reusable verifier instance
verifier.verify(bearerToken);
LOGGER.info("Token verified!");
} catch (Exception e) {
LOGGER.error(e.getMessage());
throw new InvalidAccessTokenException("JWTVerificationException - Invalid token signature.");
}