Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Les Hazlewood
    @lhazlewood
    [Brian Demers, jwtk] Have a code sample?
    [Brian Demers, jwtk] (and do you have a custom SigningKeyResolver?)
    François Papon
    @fpapon
    Hi @apryamostanov
    this works for me Jws<Claims> jws = Jwts.parser().setSigningKey(publicKey).parseClaimsJws(token);
    Anton Pryamostanov
    @apryamostanov
    @fpapon , thank you! That's good news. I will check my code.
    Les Hazlewood
    @lhazlewood
    [Micah Silverman, jwtk] Do you mean you're unable to verify using corresponding public key?
    Anton Pryamostanov
    @apryamostanov
    hi @lhazlewood ! Yes
    but i believe there is just something small in my code which prevents it
    just wanted to know if my understanding of concept is correct
    François Papon
    @fpapon
    I just follow the JJWT doc and it works so I think you just missed something ;)
    Anton Pryamostanov
    @apryamostanov
    yes, I will check carefully, thank you guys!
    François Papon
    @fpapon
    @apryamostanov if you want to take a look to my example project => https://github.com/fpapon/shiro-labs/tree/master/karaf-security
    Karaf + Shiro + JJWT :)
    Anton Pryamostanov
    @apryamostanov
    sure, i will check! thanks a lot! that will be helpful
    btw I am implementing an App2app authentication scheme - Client app publishes a REST endpoint "publicKey" - and Server App validates the JWT by getting Client Public Key over the Web
    this cuts down the security concern to DNS security which is fairly secure
    François Papon
    @fpapon
    ok
    Anton Pryamostanov
    @apryamostanov
    i.e. the server has a configured trusted Client app HTTPS URL with proper TLS ceremonies (validating domain name and signing authority) - and it gets the Client's Public Key from there
    thus the JWT public key trust happens effectively on URL level, which is easy to deploy on Cloud
    François Papon
    @fpapon
    ok so you need to convert the publicKey from String to PubliKey object
    Anton Pryamostanov
    @apryamostanov
    @fpapon , thank you very much
    you were right the problem was in key loading/saving
    i used the examples you shared - fr.openobject.labs.shiro.karaf.security.ProtectedServiceTest
    and my project also worked
    the Hex codec did the trick, as well as KeyFactory.getInstance(...)
    François Papon
    @fpapon
    great :)
    Les Hazlewood
    @lhazlewood
    [Les Hazlewood, jwtk] @apryamostanov late reply, but with asymmetric keys, you sign with the private key and verify with the public key
    Anton Pryamostanov
    @apryamostanov
    hi @lhazlewood ! Yes, works like a charm. Thank you so much!
    i am working on SECaaS platform - OAuth2 aggregator + Web Service security/stepup Authorization
    Les Hazlewood
    @lhazlewood
    [Les Hazlewood, jwtk] cool :)
    Anton Pryamostanov
    @apryamostanov
    AscendLoginUseCase.png
    basically the consumers of this platform will register with the platform 1 time - and receive all OAuth buttons + user access management on top of it
    for their Web services
    I am using JJWT for this, it is amazing library
    Les Hazlewood
    @lhazlewood
    [Les Hazlewood, jwtk] nice!
    Anton Pryamostanov
    @apryamostanov
    thank you very much!
    Ghost
    @ghost~5d9cb2e2d73408ce4fcd3c4a
    Hey! Can someone help me with signing JWT for Webpush? I have a private key that is URL safe Base 64 string and I have no idea how to transform it to an instance of PrivateKey.
    I have a method that looks like this
        private static PrivateKey generatePrivateKey() {
            byte[] bytes = Base64.getDecoder().decode("key...");
    
            try {
                return KeyFactory.getInstance("EC").generatePrivate(new PKCS8EncodedKeySpec(bytes));
            } catch (InvalidKeySpecException e) {
                e.printStackTrace();
            } catch (NoSuchAlgorithmException e) {
                e.printStackTrace();
            }
    
            return null;
        }
    But it rejects my key, and I guess the reason is that maybe it's not PKCS8 encoded (but I'm not sure whats the difference between plain key, an PKCS8 stripped from header and footer)
    Les Hazlewood
    @lhazlewood
    [Les Hazlewood, jwtk] Hi there! Unfortunately I don't have a quick answer for you because this isn't really a JWT question - it's a Java Crypto/Key question. I did a quick google search and found this: https://techxperiment.blogspot.com/2016/10/create-and-read-pkcs-8-format-private.html
    Ghost
    @ghost~5d9cb2e2d73408ce4fcd3c4a
    Thanks for quick answer! Well, yes, not a direct question but I've been trying and googling for quite some time withouth finding an aswer, so I thought asking here would be appropriate, especially cause dev team chose this way of key generating
    François Papon
    @fpapon
    @ghost~5d9cb2e2d73408ce4fcd3c4a you have to remove the header/footer section in the private key
    Rahul Kumar Pandey
    @rkpandey-jft
    How can I verify JWT Web Token by JJWT received from AWS Cognito? I have looked with the various blog but unable to do. I am a newbie in spring boot and jwt
    François Papon
    @fpapon
    @rkpandey-jft do you have an example of AWS Cognito token?
    Eric Obermühlner
    @eobermuhlner
    Testing jjwt 0.11.2 --- The signed JWTs can be verified with the JwtParser but the verification of the signature using https://jwt.io/#debugger-io fails.
    Note: I use the signWith(Key key) method, so it is not a problem with passing a wrongly encoded string.
    The key was created using Keys.keyPairFor(SignatureAlgorithm.RS256) and Keys.secretKeyFor(SignatureAlgorithm.HS256) (both cases behaved the same).
    Eric Obermühlner
    @eobermuhlner
    Am I doing something wrong or is the signature verification of jjwt not compatible with the jwt.io debugger ?
            KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);
            Key publicKey = keyPair.getPublic();
            Key privateKey = keyPair.getPrivate();
    
            System.out.println("PUBLIC KEY " + Base64.getEncoder().encodeToString(publicKey.getEncoded()));
            System.out.println("PRIVATE KEY " + Base64.getEncoder().encodeToString(privateKey.getEncoded()));
    
            String token = Jwts.builder()
                    .setIssuer("example")
                    .setIssuedAt(new Date())
                    .setExpiration(new Date(System.currentTimeMillis() + 3600))
                    .claim("typ", "Bearer")
                    .signWith(privateKey)
                    .compact();
    
            System.out.println("TOKEN " + token);
    
            JwtParser jwtParser = Jwts.parserBuilder()
                    .setSigningKey(publicKey)
                    .build();
            Jws<Claims> claimsJws = jwtParser.parseClaimsJws(token);
    
            System.out.println("ISSUER " + claimsJws.getBody().getIssuer());
    Example token looks like this:
    eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJleGFtcGxlIiwiaWF0IjoxNjAwMTc2MzQ1LCJleHAiOjE2MDAxNzYzNDgsInR5cCI6IkJlYXJlciJ9.i9Mo_DgnzfKI7qRgN4lG_XEkdnDsHxfvYYG9H4JM2Dz8OiokDmb9tr7Egeib8Oz5Y88ZM2M9ydFoXT5ZwLLVLIL2XEj1QOFyaTDCkIxC2dh4Cvem9mFuQhOB35SmmY5hDYmN42O-s0l3-C79TTUI60VPURldFb-3cXDbbeXo2YvICw1lE5cxQLA8L-W--q0SJr92s-LfZs9METTglFHLeFED14mSqGgME09md1mS3EIzuHP_EnZ8CW8I41dPObpGtJY6Xm8Z8JF-jaHfK54x8x77v_Dx_fNpT6413F4dYM91tZIyF2z8-XC3-01M1tmAwYa2q_3kLNR9hS9yjtdgzw
    satyamagarwal
    @satyamagarwal

    Hey. Big fan of the library. When are we going version 1.0 ? I see that there is not many contributions in the recent months. It has ~7k stars. I am, in no way nagging or anything close to it. I am just curious :)

    I am also very eagerly waiting for support for jwtk/jjwt#135 to be added in the library.

    satyamagarwal
    @satyamagarwal
    @bdemers @lhazlewood if you guys can shed some light please :)