FusionAuth/fusionauth-jwt

It is not possible to get the claims and the JWT parameters without verify

Ostico opened this issue · 6 comments

Ostico commented

A verifier is mandatory to get the access to the JWT fields, but if i'm in the client side and i want read informations from JWT is not possibile decode the payload without verification:

byte[] payload = Base64.getUrlDecoder().decode( authResult.getAccessToken().split( "\\." )[ 1 ] );
JWT jwt = Mapper.deserialize( payload, JWT.class );

some helpers could be useful.

robotdan commented

Hi @Ostico

I think you're asking for how to decode the JWT w/out validation?

In addition to your example code, you can also use this method:

String accessToken = authResult.getAccessToken();
JWT jwt = JWT.getDecoder().decode(accessToken);

This is using the varargs version of the decode method.

public JWT decode(String encodedJWT, Verifier... verifiers)

Using this method, when 0 verifiers are provided, we will allow you to decode the JWT w/out verification. This way we know for sure the caller is asking us to decode the JWT w/out signature verification.

Let me know if I haven't answered your question.

Ostico commented

Hi @robotdan , i already tried without verifiers, but i get an exception:
io.fusionauth.jwt.MissingVerifierException: No Verifier has been provided for verify a signature signed using [SHA256withRSA]

fusionauth-jwt/src/main/java/io/fusionauth/jwt/JWTDecoder.java

Line 171 in 5bd19a3

throw new MissingVerifierException("No Verifier has been provided for verify a signature signed using [" + header.algorithm.getName() + "]");

From the code it seems that is not possible decode a JWT when parts.lenght != 2:

fusionauth-jwt/src/main/java/io/fusionauth/jwt/JWTDecoder.java

Line 153 in 5bd19a3

if (parts.length == 2) {

even if allowNoneAlgorithm is true:

private JWT validate(String encodedJWT, String[] parts, Header header, Verifier verifier, boolean allowNoneAlgorithm) {
...
}
robotdan commented

Ah, ok, I see what you mean. Yeah, you're correct, we don't offer a way to decode the JWT w/out verification (at least not easily).

Would it help if I added a utility method to decode the payload? Would you also want the header?

For example, something like :

String accessToken = authResult.getAccessToken();
JWT jwt = JWTUtils.decodePayload(accessToken);

This method would not perform any validation, it would only read the JSON and return a JWT object.

This would more/less do the same thing you're doing already:

byte[] payload = Base64.getUrlDecoder().decode( authResult.getAccessToken().split( "\\." )[ 1 ] );
JWT jwt = Mapper.deserialize( payload, JWT.class );
robotdan commented

See commit 4e5d4d0, added JWTUtils. decodePayload - will this work for you?

  • 👍1
Ostico commented

Yes, it is perfect. The header is not so important in my opinion.
Thank you.

robotdan commented

Great, thanks for the feedback. I also added JWTUtils.decodeHeader if that is of use.
Released and available in version 3.0.2.