Reputation: 3018
java decoding JWT
I'm encoding/decoding JWT strings in Java...specifically for in-app purchases.
I'm looking at this example
https://code.google.com/p/gwdg-java/source/browse/src/java/com/google/iapsample/JWT_Handler.java
I can encode the string to JWT using the SIGNING key.
I can then decode the JWT back to the source string by calling deserialize().
But if you look at the code - you note that the method doesn't use the SIGNING key to decode...but it does decode properly.
Confused!
Is the key within the JWT string itself - that would not make any security sense!
Upvotes: 1
Views: 6527
Answers (3)
Reputation: 2108
Do not confuse signing with encryption.
The secret key is used to generate a digital signature that will be used later to verify the authenticity of the JWT.
Please see the JWT spec below for an example:
http://tools.ietf.org/id/draft-jones-json-web-token-08.html#rfc.section.3.1
You can also use the JWT decoder below to test your integration:
https://developers.google.com/commerce/wallet/digital/docs/jwtdecoder
Upvotes: 3
Reputation: 1503
When you said DECODE, what do you mean?
You can decode the base64 part. It can be (and often it is) used for carrying information. Which client can use. Username, roles and other public things.
JWT is presented as some magic. But it isnt, for client is only ordinary token with some included information.
Server creates this token and sign it with password/key which is only on server side. So server creates token and only server can validate it, with this password.
Here: http://jwt.io/
you can see there the header/information part/ and hash/signature.
information and header is pure base64 and you can read them freely. Demo on this website shows generation of jwt using given SECRET password. If you modify information part it resign token. You can validate token only if you know this password.
My favorite article with nice java commentary: http://blog.jdriven.com/2014/10/stateless-spring-security-part-2-stateless-authentication/
Upvotes: 1
Reputation: 12341
Disclaimer: I a not a Java dev, so this is based on my (non-Java-dev) read of the source..nor do I use the sample you are referencing.
public String deserialize(String tokenString)is decoding from Base64 to string and- it looks like it's only doing so for the payload (
String jwtPayloadSegment = pieces[1];) and - not for the signature (it would have been
pieces[2]) as parsed byprivate String[] splitTokenString(String tokenString)
As above, I'm not a Java dev nor do I use the sample. The code looks like (again, note my disclaimer) it's only a sample for how to create a Request (to send to Google), not as a handler to for your listener to verify an incoming callback from Google.
The sample code should still be helpful in doing that because the process is similar when verifying - re: (re)build the JWT signature and compare it with the parsed signature in the incoming POST request.
Looks like the sample:
- in index.jsp, handles the GET request (
Main_Servlet.java) and builds the JWT - invokes the Google method to send a POST request to initiate the buying process
There is no code in the sample that I can see that is for your listener to handle the post from Google containing the order JWT - you will need to write that (and yes you need to verify the JWT as from Google).
Hth - and if I'm wrong about my read of the source, I likely am.
Upvotes: 0
Related Questions
- How to decode JWT (Header and Body) in java using Apache Commons Codec?
- How can I decode JWT token in android?
- Why do I fail to encode back a decoded JWT?
- Android JWT parsing payload/claims when signed
- Java - Retrieve token from response?
- how to parse jwt sign key from apple p8 file with Java
- Should I decode the JWT on the client side?
- JWT can not be decipher from keys
- How to decode SafetyNet JWS response?
- JWT gets decoded easily on its site