io.jsonwebtoken decode JWT claims before validating the signature

Question

io.jsonwebtoken decode JWT claims before validating the signature

502 views Asked by StefanG At 29 November 2023 at 20:28

Assuming I have multiple clients, I'm expecting from my "clientA" to provide a JWT token created with it's privateKeyClientA, like

String jwtToken = Jwts.builder()
        .claims()
        .issuer("ClientA")
        .expiration(expirationDate)
        .and()
        .signWith(privateKeyClientA)
        .compact() ;

to decode the claims, I can use

claims = Jwts.parser()
         .verifyWith(publicKeyClientA)  
         .build()
         .parseClaimsJws(jwtToken)
         .getBody();

But, how do you identify "clientA", so, publicKeyClientA before validating the JWT's signature in an "elegant way"?

p.s. I must use "JJWT :: API" (io.jsonwebtoken)

Original Q&A

There are 1 answers

**ThomasRS** · Accepted Answer · 2023-11-29T23:36:37+00:00

Two approaches:

use the key id in the header to identify the correct key.
parse the JWT body and extract the issuer field.

If there is no io.jsonwebtoken support for parsing before validating, try another library.

Doing this yourself can be like so:

parse b from "Bearer a.b.c"
base64 decode (url safe)
- note: some libs also use compression for b
parse the resulting JSON document
- preferably using pull parser, issuer is probably the first field
- extract issuer field value

For header just parse a instead.

TechQA.

io.jsonwebtoken decode JWT claims before validating the signature

There are 1 answers

Related Questions in JWT

Related Questions in JJWT

Popular Questions

Popular Tags

Trending Questions