CODEWITHSUNDEEP
web-servicesrestgroovyjwt
Christoph Zabinski
Christoph Zabinski

Reputation: 327

How to extract/decode expiration time from externally issued Json Web Token

so I am working with a 3rd party RESTful webservice where I have to authenticated myself by requesting a JWT and provide it to any further requests. I do that by just posting my username and password and recieve a token for this. I neither know the secret used to create the token nor anything else besides username and password.

Now, I would like to check the expiration time of the JWT before I either reuse it for subsequent webservice requests or just renew it. I know i could just used it and catch some kind of expiration exception but I would prefer not to.

I tried to follow this tutorial: [https://stormpath.com/blog/token-auth-for-java]

but get stuck at the point where I have to provide signing key.

How would I do that since I do not have the secret used to encode it.

Bye the way: I am working with groovy and wslite on this one.

Upvotes: 1

Views: 3006

Answers (2)

tim_yates
tim_yates

Reputation: 171084

You should just be able to take the body of the token, and decode it.

The private key isn't used to encrypt the body of a JWT, it's just used to generate the signature...

So, in Groovy you can just do:

// A JWT from the link you gave above
String key = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vdHJ1c3R5YXBwLmNvbS8iLCJleHAiOjEzMDA4MTkzODAsInN1YiI6InVzZXJzLzg5ODM0NjIiLCJzY29wZSI6InNlbGYgYXBpL2J1eSJ9.43DXvhrwMGeLLlP4P4izjgsBB2yrpo82oiUPhADakLs'

// Just the body (middle section)
String body = key.split(/\./)[1]

// Un base64 it (using the Java 8 Base64 class)
String unencoded = new String(Base64.decoder.decode(body), 'UTF-8')

// Parse the json into a map
Map data = new groovy.json.JsonSlurper().parseText(unencoded)

// Get the expiry
long exp = data.exp

assert exp == 1300819380

Of course, there's nothing to say that the body of the token has to contain any form of expiry time for you to look at... It could just be an internal ID

Upvotes: 2

Krzysztof Cichocki
Krzysztof Cichocki

Reputation: 6414

If you don't know the cipher used to encode it nor want to crack their cipher then you can't decode any information from the token. There is nothing like 'standard information that must be encoded in token', there's no need to the token that it should contain any ciphered information at all, it could be just an randomly generated UUID stored on their side in DB, so in that case you can't decode it at all.

Upvotes: 0

Related Questions