How to Validate JWT token signature with JSON Web Key Set

Posted on by By admin, in Javascript | 0

We need two main libraries to validate the token signature with jwks

  1. java-jwt library
  2. <dependency>
      <groupId>com.auth0</groupId>
      <artifactId>java-jwt</artifactId>
      <version>3.8.3</version>
    </dependency>
    
    Make data easy with Helical Insight.
    Helical Insight is world's best open source business intelligence tool.
    Click Here to Free Download

  3. jwks-rsa library
  4. <dependency>
      <groupId>com.auth0</groupId>
      <artifactId>jwks-rsa</artifactId>
      <version>0.9.0</version>
    </dependency>
    

Make sure you have the above java-jwt and jwks-rsa library before we start validating the signature with jwks.

Verifying JWT Token Signature

Using the following code we can validate token signature.

DecodedJWT jwt = JWT.decode(encryptedToken);
JwkProvider provider = new UrlJwkProvider("http://localhost:8080");
Jwk jwk = provider.get(jwt.getKeyId());
Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);
algorithm.verify(jwt);

Before we start working with the code make sure you have a valid token, you can test the token at https://jwt.io/.

We will start exploring the above code in details

DecodedJWT jwt = JWT.decode(encryptedToken);

At the first line we are using 0Auth JWT library to decode the token, this decode process allows us to access the token data.

JwkProvider provider = new UrlJwkProvider("http://localhost:8080");

In the second line we are including the Jwks URL to validate the signature, don’t worry that we are not passing the whole path of /.well-known/jwks.json, the jwks library knows where the key set is located.

Jwk jwk = provider.get(jwt.getKeyId());

In the line no three, we are getting the “kid” which we are picking from the header of the token decoded data. You can even print the “kid” using jwt.getKeyId().

Make sure the “kid” is matching with decoded token data from https://jwt.io/. This kid is used to signing in to the token.

Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);

At line number four using the RSA256 algorithm we are verifying the token with the public key, we are getting the public key from the decoded token data (RSAPublicKey) jwk.getPublicKey().

Make data easy with Helical Insight.
Helical Insight is world's best open source business intelligence tool.
Lets Start Free Trail

If client specifically provide us the string public key, We can even pass the public key manually as String and return the RSAPublicKey and validate in the algorithm.

public static PublicKey getPublicKey(String publicKey)
	{
		try {
	        byte[] encodedPublicKey = Base64.getDecoder().decode(publicKey);
	        X509EncodedKeySpec spec = new X509EncodedKeySpec(encodedPublicKey);
	        KeyFactory kf = KeyFactory.getInstance("RSA");
	        PublicKey publicKeyValue = kf.generatePublic(spec);
			return publicKeyValue;
		} catch (Exception e) {
			// TODO: handle exception
		}
		return null;
	}

Finally we are using the algorithm.verify(jwt) to verify the token is we are good without any exception then the signature verification done.

Once we are good with validating the token signature we can use the token claims to get the payload data and process it using the following code.

Claims claims = Jwts.parser().setSigningKey((RSAPublicKey) 
jwk.getPublicKey()).parseClaimsJws(token).getBody();  

Thank You
Suryam
Helical IT Solutions Pvt Ltd

logo

Best Open Source Business Intelligence Software Helical Insight Here

logo

A Business Intelligence Framework


logo

Best Open Source Business Intelligence Software Helical Insight is Here

logo

A Business Intelligence Framework

4 1 vote
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments