AppAuth-Android icon indicating copy to clipboard operation
AppAuth-Android copied to clipboard

Published 20 hours ago verified publisher icon openid

Support JWT decoding and validation

Open iainmcgin opened this issue 9 years ago • 10 comments

Support validating JWTs and extracting their claims as a map. This will require the ability to either dynamically use the jwks_uri keys provided by the provider's discovery document, or a set of acceptable keys provided by the developer.

iainmcgin avatar Mar 07 '16 02:03 iainmcgin

Hi @iainmcgin, I'd like to ever so humbly suggest that jose4j be considered for JWT decoding and validation in AppAuth . It's an open source JWT/JOSE library in Java that has extensive support for consuming and validating JWTs including being able to dynamically obtain public keys from an HTTPS endpoint like Connect's jwks_uri.

b---c avatar Apr 14 '16 15:04 b---c

jose4j looks like a good choice Brian, thanks for the suggestion! The solution for this issue may actually just be documentation rather than code, pointing developers at other libraries (such as yours) that can perform this task rather than baking it in to AppAuth itself. We'd like to keep the dependencies of AppAuth as minimal as possible.

iainmcgin avatar Apr 20 '16 20:04 iainmcgin

#163 has some code for this, so I'll need to evaluate that against adding a dependency on jose4j. Looks like jose4j 0.5.5 is ~250KB, which is almost twice as big as AppAuth itself (currently ~120KB). It may still be better to leave token validation to code outwith the library.

iainmcgin avatar Mar 10 '17 09:03 iainmcgin

Partially fixed by #385 - we will need to put in some extra work to expose the new IdToken class as part of the public API. Right now it only holds the fields that are interesting for validation and discards the rest; storing the currently discarded claims as an "additionalClaims" map would be consistent with how we handle authorization requests etc.

iainmcgin avatar Aug 10 '18 18:08 iainmcgin

Is IdToken available in latest release? (0.7.1)

v-khatri avatar Jan 11 '20 05:01 v-khatri

Hi @iainmcgin , I am still unable to access IdToken class. My need is to use parseJwtSection(String acessToken) method to parse the role [] from the acessToken.

Do we have any way to do it in AppAuth? Thanks in advance!

sunilkumarjena21 avatar Jun 03 '20 08:06 sunilkumarjena21

Our codebase was relying on a separate library to extract this information. I just abandoned this library as it contained a bug, and I found it an extensive additional dependency just to do some JSON parsing which I now do as follows:

fun getUserId(token: String): UUID? {
    val (_, payload, _) = accessToken.split('.')
    val payloadString = String(
        Base64.decode(payload, Base64.URL_SAFE or Base64.NO_WRAP or Base64.NO_PADDING),
        Charset.defaultCharset()
    )
    val subjectPattern = Regex("\"sub\":\\s*\"([a-z0-9-]*)\"")
    val subject = requireNotNull(subjectPattern.find(payloadString)?.groupValues?.get(1))
        { "Invalid JWT access token."}

    return UUID.fromString(subject)
}

But, I'd prefer to replace this with the IdToken functionality of this library once it is exposed in the API. So just a reminder this issue is still relevant. :)

Whathecode avatar May 18 '22 11:05 Whathecode

@Whathecode, please, add imports. What minimal SDK does it require?

CoolMind avatar Dec 03 '22 12:12 CoolMind

See https://stackoverflow.com/questions/37695877/how-can-i-decode-jwt-token-in-android.

CoolMind avatar Dec 04 '22 14:12 CoolMind