How to verify JWT signature using a token and public key in Java

Question

I have a token in the form of a string and I downloaded the public cert and created a public key out of it as follows.

But I'm not sure how proceed for verification with just this much info.

I found solutions for C# and .NET but not for Java. Please note I don't have the jks file or private key.

    FileInputStream fin = new FileInputStream("d://public.crt");
    CertificateFactory f = CertificateFactory.getInstance("X.509");
    X509Certificate certificate = (X509Certificate)f.generateCertificate(fin);
    PublicKey pk = certificate.getPublicKey();

score 6 · Answer 1 · answered Oct 19 '18 at 07:16

6

To verify a JWT in Java using Auth0 library (com.auth0:java-jwt):

Retrieve the algorithm the key has been signed with, for example:

// Load your public key from a file
final PublicKey ecdsa256PublicKey = getPublicKey(...);
final Algorithm algorithm = Algorithm.ECDSA256((ECPublicKey) ecdsa256PublicKey, null);

Verify its signature using the corresponding algorithm:

final DecodedJWT decodedJWT = JWT.decode("J.W.T[...]");
// Will throw a SignatureVerificationException if the token's signature is invalid
algorithm.verify(decodedJWT);

answered Oct 19 '18 at 07:16

Florian Lopes

1,093
1
13
20

It's not clear how to getPublicKey – Gökhan Polat Oct 12 '22 at 00:47
Loading a public key is not part of the question here. See this thread if you want guidance on loading a public key: https://stackoverflow.com/a/19387517 – Florian Lopes Dec 15 '22 at 06:11

Abhishek Chandran · Answer 2 · 2019-11-21T00:44:00.223

2

I did something like this to verify JWT

try {
        DecodedJWT decodedJWT = JWT.decode(jwt); // your string
        JwkProvider provider =  new JwkProviderBuilder(new URL("JWKS URL")).build();
        Jwk jwk = provider.get(decodedJWT.getKeyId());
        Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);

        Verification verifier = JWT.require(algorithm);
        verifier.build().verify(decodedJWT);
    } catch (JWTVerificationException | JwkException | MalformedURLException e) {
        // throw your exception
    }

JwkProviderBuilder can be expensive, so if you are using Spring, you can extract it as another method and annotate it with @PostConstruct to optimise.

edited Nov 21 '19 at 00:44

answered Nov 21 '19 at 00:37

Abhishek Chandran

1,536
1
13
21

I have tried this, program is tuck at line "provider.get(decodedJWT.getKeyId())" – i.am.jabi Jul 02 '20 at 07:31
What is the error that you are getting? Are you sure the JWT or the JWKs URL you are passing is correct? – Abhishek Chandran Jul 08 '20 at 21:34
can you specify the libraries please? – hariharan baskaran Sep 07 '22 at 12:00

score 0 · Answer 3 · answered Feb 01 '22 at 22:29

A working example with RSA key is as given below:

/* Verification of JWT */
try {
    String token = "some-token";
    String publicKey = "some-key";
    
    //Convert public key string to RSAPublicKey
    byte[] publicKeyByteArr = Base64.getDecoder().decode(publicKey);
    KeyFactory keyFactory = KeyFactory.getInstance("RSA");
    RSAPublicKey rsaPublicKey = (RSAPublicKey) keyFactory.generatePublic(new X509EncodedKeySpec(publicKeyByteArr));

    //If the token has an invalid signature, JWTVerificationException will raise.
    Algorithm algorithm = Algorithm.RSA256(rsaPublicKey, null);
    JWTVerifier verifier = JWT.require(algorithm)
                //.withIssuer("auth0")
                .build(); //Reusable verifier instance
    DecodedJWT jwt = verifier.verify(token);

}catch(InvalidKeySpecException | NoSuchAlgorithmException | JWTVerificationException e) {
    logger.info("JWT verification is failed");
    throw new ResponseStatusException(HttpStatus.UNAUTHORIZED);
}

It's obvious but please note that token and publicKey are arbitrary.

package you are using? – hariharan baskaran Sep 07 '22 at 07:06 — hariharan baskaran, Sep 07 '22 at 07:06

score -3 · Answer 4 · answered Jul 31 '17 at 11:49

-3

If you ask about JSON WebToken, You can follow below code sample:

import javax.xml.bind.DatatypeConverter;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.Claims;

//Sample method to validate and read the JWT
private void parseJWT(String jwt) {

    //This line will throw an exception if it is not a signed JWS (as expected)
    Claims claims = Jwts.parser()         
       .setSigningKey(DatatypeConverter.parseBase64Binary(apiKey.getSecret()))
       .parseClaimsJws(jwt).getBody();
    System.out.println("ID: " + claims.getId());
    System.out.println("Subject: " + claims.getSubject());
    System.out.println("Issuer: " + claims.getIssuer());
    System.out.println("Expiration: " + claims.getExpiration());
}

For further reading, you can visit Click here

answered Jul 31 '17 at 11:49

Yogi

1,805
13
24

1

What object is apiKey and how do I fetch it's secret given that I have only a public key cert file. – Arham Jul 31 '17 at 12:51
apiKey is object of com.stormpath.sdk.api.ApiKey, which is used for holding apikey. String path = "resources/.stormpath/apiKey.properties"; ApiKey apiKey = ApiKeys.builder().setFileLocation(path).build(); – Yogi Jul 31 '17 at 14:25
2

This is not answering what the user asked. Verify using secret key is using HS256 (hmac) while verifying using public key is RS256. – jumper rbk Aug 13 '18 at 02:46

How to verify JWT signature using a token and public key in Java

4 Answers4

Linked