How can I get Claims from a JWT?

Question

I need to extract claims from a JWT.

It seems that this should be a no-brainer.

It was signed, from the header I get:

{
  "alg": "RS256",
  "typ": "JWT"
}

JWT:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJtYXJrLnN0YW5nQGRoaWdyb3VwaW5jLmNvbSIsInNjb3BlIjpbIm9wZW5pZCJdLCJyb2xlcyI6WyJKT0JTRUVLRVIiXSwiam9ic2Vla2VySWQiOiJ3TDFkTWdQckZWOUl5dEZZIiwiZXhwIjoxNDg4Mzk1ODE5LCJhdXRob3JpdGllcyI6WyJKT0JTRUVLRVIiXSwianRpIjoiNWRiYjNkYzQtNGI3NC00MDYyLTgzMmQtYjE1MTgwYWZhZjllIiwiY2xpZW50X2lkIjoiZWZjIn0.NxiF4x39na3KdDUFz2zxqy1zSfJkj4FdKHflpgJUxzMgBq8bbJIFVkmwAUYA6_YXm6kGFcyTMgdiRIJpqc5buDPdV1vkzh4QKFTxMz9MF4i3vtIQ21Vm5W12KikWdWGGUXMD4udJwu7rmuIBtNIa-ciZOPADNrrXfuw7iML1xxAA-C0f4OTbiKqiXr3QEUZwcqZB17qfh_dVRRxgO-_uHUg84JDcpXEDQPzPWX68u1EHH4J6IcpMKn1VY9k3RcZU6pq-ndzQgBlKdVm2owA6i-UM9p1zSz7ZX_2wx0czEEcNF1rMdeIv5yxP9YEpWb14-GUG4qgpn_rAIQBJ7eu7xw

It decodes on the jwt.io site just fine, but since I don't have the "secret" key, it comes up as "invalid signature". Which is fine, I am not trying to validate it.

All I want is the claims but when I use a Java library to decode it I get nothing but errors.

If I decode it manually (i.e. split/base64 decode) it is fine.

So, what am I doing wrong with the Java libraries?

My code was something I found on SO. What I am looking for is how to get one of the Libraries to extract the claims without me writing code to do it. — Chaos Rules, Feb 13 '17 at 21:56

cassiomolin · Accepted Answer · 2021-11-03T21:07:25.580

9

Once the question is tagged with jose4j, I understand you are using jose4j for parsing JWT tokens.

In this situation, you can invoke setSkipSignatureVerification() from the JwtConsumerBuilder. It allows you to parse the claims without validating the signature:

JwtConsumer jwtConsumer = new JwtConsumerBuilder()
                                  .setSkipSignatureVerification()
                                  .build();
                                                  
JwtClaims jwtClaims = jwtConsumer.processToClaims(jwt);

edited Nov 03 '21 at 21:07

answered Feb 07 '17 at 19:49

cassiomolin

124,154
35
280
359

`alg` is `RS256`, so I guess there will be some public key out there to verify the signature – pedrofb Feb 07 '17 at 20:15
@pedrofb Good spot! But for some reason the OP is only concerned about parsing the claims without any signature verification. – cassiomolin Feb 07 '17 at 20:23
I believe, maybe incorrectly, that adding a dependency on an external piece of data (i.e. the public key) could make my code "brittle". Any changes in the Key require me to change my code or at least react to the change. And when that happens my code is broken. – Chaos Rules Feb 13 '17 at 22:19
@ChaosRules What do you mean with you previous comment? Does my solution works for you or not? – cassiomolin Feb 13 '17 at 22:22
Sorry, I haven't had a chance to test it. I think it will work and is what I am looking for. My previous comment was in regards to using the public key to validate the signature. Which I don't want to do. – Chaos Rules Feb 14 '17 at 23:22
@ChaosRules As soon as you have a chance to test it, please let me know if it works for you. – cassiomolin Feb 14 '17 at 23:56
Sorry, it has taken me this long to get back to you, but that worked. Thanks for all your help. – Chaos Rules Apr 03 '17 at 20:41
OK, so now I have a public key and want to verify the signature. Is there a straightforward mechanism for this? – Chaos Rules Apr 04 '17 at 22:08
The JwtConsumerBuilder wants a RsaJsonWebKey. I have the public key, but it won't accept a string. – Chaos Rules Apr 04 '17 at 22:15
Maybe a different library? – Chaos Rules Apr 04 '17 at 22:23
OK, figured it out, seems I was mis-informed. Wrong public key. – Chaos Rules Apr 05 '17 at 16:00
Hello can't we extract jwt from that `extractClaim` – Rajanboy Jul 11 '22 at 04:11

score 2 · Answer 2 · answered Feb 02 '21 at 07:11

Let me provide a general answer for everyone's use.

I am using this maven/gradle library. Use the following for Maven.

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>nimbus-jose-jwt</artifactId>
    <version>[ version ]</version>
</dependency>

Then use the following code to decode and get claims.

String jwtToken = "eyJ0eXAiOiJKV1QiLCJhbG...";

JWSObject jwsObject;
JWTClaimsSet claims;

try {
       jwsObject = JWSObject.parse(this.jwt);
       claims =  JWTClaimsSet.parse(jwsObject.getPayload().toJSONObject());
} catch (java.text.ParseException e) {
       // Invalid JWS object encoding
}

// now access any claims you want using the relevant key. It will be returned as an object
Object expiry = claims.getClaim("exp");

How can I get Claims from a JWT?

2 Answers2