Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Android JWT parsing payload/claims when signed

Tags:

java

android

security

jwt

I have a signed JWT String that i get from the server. I do not know the key or rather I don't want to put the key on the client/device.

When using this site with my token: https://jwt.io/ I get the desired result it tells me the Header and payload information.

I cannot find a library on android that does what this website does and i have tried all of them that i could find. The most recognized one to use is: https://github.com/jwtk/jjwt

But this gives me an exception that i cannot parse a signed token which as proven by the other website above is false. another resource i have used is: https://bitbucket.org/b_c/jose4j/wiki/Home

This one at least gave me the header information which is the furthest i have been able to get.

To give context why it is the way it is, the payload contains an expiration time and on the device when the token is about to expire i should prompt the user to re enter their credentials to get a new token. Now this might seem like a security threat because a hacker could manipulate the token on the device, but the server checks the token to make sure it is authentic which is why i do not want the key on the device because this can be mined by a hacker, and make the entire application vulnerable.

like image 707
Delta Avatar asked Jan 25 '16 17:01

Delta

1 Answers

If you wanna parse signatured text without using signature :

1- add below dependency :

//JWT
compile 'io.jsonwebtoken:jjwt:0.7.0'

2 - Add below imports :

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Header;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.Jwts;

3- Use below code block :

//ref : https://github.com/jwtk/jjwt/issues/135
//you can put your signatured text instead of jws variable.
String jws = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ";
int i = jws.lastIndexOf('.')
String withoutSignature = jws.substring(0, i+1);
Jwt<Header,Claims> untrusted = Jwts.parser().parseClaimsJwt(withoutSignature);
/*untrusted.getBody().getSubject();
  untrusted.getBody().getExpiration();
  etc.
*/
like image 70
oguzhan Avatar answered Sep 29 '22 20:09

oguzhan
Sign in to Comment

Related questions

Java8 DateTimeFormatter parse date with both single digit and double digit day [duplicate]
Java class that models a book
How to create an empty folder in google cloud bucket using Java API
Is this snippet unnecessary in the source code of Arraylist.remove(int index)?
Who killed My Java Infinite loop thread?
Dagger doesn't like constructors that throw exceptions
Unexpected token END OF FILE at position 0 while parsing JSON
New thread multiple times
Grouping Java 8 Dates in intervals
Android onTouchEvent for custom view
Vowel Counter Replaced in String Java
Java Primitive Widening Interview [duplicate]
How to create a WSResponse object from string for Play WSClient
How to create threads in Java EE environment?
Java 8 generics and type inference issue
Replacement for org.hibernate.Transactions.isActive() in Hibernate 5
Hibernate 5 + Glassfish 4.1.1: java.lang.NoSuchMethodError: org.jboss.logging.Logger.debugf(Ljava/lang/String;I)V
In Java catch block, how do you know which method/line throws the exception?
JavaFX WebView up call from JavaScript doesn't work
Why does my Java program's performance drop significantly after startup?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!