How can I get Claims from a JWT?

Asked 7/2, 2017 at 16:57 Answered 2/2, 2021 at 7:11

I need to extract claims from a JWT.

It seems that this should be a no-brainer.

It was signed, from the header I get:

{
  "alg": "RS256",
  "typ": "JWT"
}

JWT:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJtYXJrLnN0YW5nQGRoaWdyb3VwaW5jLmNvbSIsInNjb3BlIjpbIm9wZW5pZCJdLCJyb2xlcyI6WyJKT0JTRUVLRVIiXSwiam9ic2Vla2VySWQiOiJ3TDFkTWdQckZWOUl5dEZZIiwiZXhwIjoxNDg4Mzk1ODE5LCJhdXRob3JpdGllcyI6WyJKT0JTRUVLRVIiXSwianRpIjoiNWRiYjNkYzQtNGI3NC00MDYyLTgzMmQtYjE1MTgwYWZhZjllIiwiY2xpZW50X2lkIjoiZWZjIn0.NxiF4x39na3KdDUFz2zxqy1zSfJkj4FdKHflpgJUxzMgBq8bbJIFVkmwAUYA6_YXm6kGFcyTMgdiRIJpqc5buDPdV1vkzh4QKFTxMz9MF4i3vtIQ21Vm5W12KikWdWGGUXMD4udJwu7rmuIBtNIa-ciZOPADNrrXfuw7iML1xxAA-C0f4OTbiKqiXr3QEUZwcqZB17qfh_dVRRxgO-_uHUg84JDcpXEDQPzPWX68u1EHH4J6IcpMKn1VY9k3RcZU6pq-ndzQgBlKdVm2owA6i-UM9p1zSz7ZX_2wx0czEEcNF1rMdeIv5yxP9YEpWb14-GUG4qgpn_rAIQBJ7eu7xw

It decodes on the jwt.io site just fine, but since I don't have the "secret" key, it comes up as "invalid signature". Which is fine, I am not trying to validate it.

All I want is the claims but when I use a Java library to decode it I get nothing but errors.

If I decode it manually (i.e. split/base64 decode) it is fine.

So, what am I doing wrong with the Java libraries?

Gastroscope answered 7/2, 2017 at 16:57 Comment(3)

How can we answer your question without seeing your code? – Toronto 7/2, 2017 at 17:2

Let me know if my answer works for you. – Bulrush 12/2, 2017 at 20:16

My code was something I found on SO. What I am looking for is how to get one of the Libraries to extract the claims without me writing code to do it. – Gastroscope 13/2, 2017 at 21:56

Once the question is tagged with jose4j, I understand you are using jose4j for parsing JWT tokens.

In this situation, you can invoke setSkipSignatureVerification() from the JwtConsumerBuilder. It allows you to parse the claims without validating the signature:

JwtConsumer jwtConsumer = new JwtConsumerBuilder()
                                  .setSkipSignatureVerification()
                                  .build();
                                                  
JwtClaims jwtClaims = jwtConsumer.processToClaims(jwt);

Bulrush answered 7/2, 2017 at 19:49 Comment(12)

alg is RS256, so I guess there will be some public key out there to verify the signature – Mentor 7/2, 2017 at 20:15

@Mentor Good spot! But for some reason the OP is only concerned about parsing the claims without any signature verification. – Bulrush 7/2, 2017 at 20:23

I believe, maybe incorrectly, that adding a dependency on an external piece of data (i.e. the public key) could make my code "brittle". Any changes in the Key require me to change my code or at least react to the change. And when that happens my code is broken. – Gastroscope 13/2, 2017 at 22:19

@ChaosRules What do you mean with you previous comment? Does my solution works for you or not? – Bulrush 13/2, 2017 at 22:22

Sorry, I haven't had a chance to test it. I think it will work and is what I am looking for. My previous comment was in regards to using the public key to validate the signature. Which I don't want to do. – Gastroscope 14/2, 2017 at 23:22

@ChaosRules As soon as you have a chance to test it, please let me know if it works for you. – Bulrush 14/2, 2017 at 23:56

Sorry, it has taken me this long to get back to you, but that worked. Thanks for all your help. – Gastroscope 3/4, 2017 at 20:41

OK, so now I have a public key and want to verify the signature. Is there a straightforward mechanism for this? – Gastroscope 4/4, 2017 at 22:8

The JwtConsumerBuilder wants a RsaJsonWebKey. I have the public key, but it won't accept a string. – Gastroscope 4/4, 2017 at 22:15

Maybe a different library? – Gastroscope 4/4, 2017 at 22:23

OK, figured it out, seems I was mis-informed. Wrong public key. – Gastroscope 5/4, 2017 at 16:0

Hello can't we extract jwt from that extractClaim – Gastro 11/7, 2022 at 4:11

Let me provide a general answer for everyone's use.

I am using this maven/gradle library. Use the following for Maven.

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>nimbus-jose-jwt</artifactId>
    <version>[ version ]</version>
</dependency>

Then use the following code to decode and get claims.

String jwtToken = "eyJ0eXAiOiJKV1QiLCJhbG...";

JWSObject jwsObject;
JWTClaimsSet claims;

try {
       jwsObject = JWSObject.parse(this.jwt);
       claims =  JWTClaimsSet.parse(jwsObject.getPayload().toJSONObject());
} catch (java.text.ParseException e) {
       // Invalid JWS object encoding
}

// now access any claims you want using the relevant key. It will be returned as an object
Object expiry = claims.getClaim("exp");

Ammon answered 2/2, 2021 at 7:11 Comment(0)

Recommended topics

Hot tags