Replacement for deprecated Spring Security JwtHelper

Question

I make use of the class org.springframework.security.jwt.JwtHelper from org.springframework.security:spring-security-jwt:1.1.0.RELEASE for decoding JWT tokens, e.g.

Jwt jwt = JwtHelper.decode(accessToken);
String claims = jwt.getClaims();

The above classes are deprecated and the deprecation comment points to Spring Security OAuth 2.0 Migration Guide.

This guide does not talk about any replacement for JwtHelper.

I found the class JwtDecoders which creates a JwtDecoder in the new spring-security-oauth2 project. But JwtDecoders requires an issuer to be passed.

Since I do not wish to verify the token, is there a simple alternative available? Otherwise I can split on . and base64-decode the token, and use any JSON library to parse.

Answer 1

The replacement used in Spring Security is nimbus-jose-jwt. If you don't use Spring Boot, you have to choose a version otherwise Spring Boot will choose one for you.

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>nimbus-jose-jwt</artifactId>
</dependency>

You can just use it like this:

import com.nimbusds.jwt.JWTParser;

....

JWT jwt = JWTParser.parse(accessToken)
Header = jwt.getHeader();
JWTClaimsSet jwtClaimSet = jwt.getJWTClaimsSet();

Answer 2

This worked fine for me without any new dependency

  Jws<Claims> claimsJws = Jwts.parserBuilder().setSigningKey(Keys.hmacShaKeyFor("secretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecret".getBytes()))
                .build().parseClaimsJws(token);
        String username = claimsJws.getBody().getSubject();
        Authentication authentication = new UsernamePasswordAuthenticationToken(username,null, null);
        SecurityContextHolder.getContext().setAuthentication(authentication);

Answer 3

Do not skip token verification! Failure to verify the token properly will result in an insecure app.

• It is very important that you check the issuer (iss claim) of the token and verify it is correct and that it is supposed to be accepted by your application. Only accept tokens from issuers that have the authority to grant access tokens for your app.
• Also verify the token is intended for your app (check aud claim): you don't want users misusing tokens intended for other apps (e.g., if user has token with all the right claims, but with aud claim set to another app; that shouldn't be a valid token for you).
• Now, make certain to check the signature of the token to verify it is actually signed by the issuer and it is not a bogus token: you can find the issuer's public keys by contacting the issuer. If you don't get the public key directly from the issuer, and you don't verify the signature of the incoming token properly, a malicious user will be able to forge a seemingly-valid token that your app will accept, and your app will be at risk of leaking catastrophic amounts of data.
• The last step is to check validity (is it expired?) and to then to check for whatever other claims or scopes your app expects and requires.