0

I'm encrypting a token like this:

var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(_configuration.GetSection("TokenAuthentication:SecretKey").Value));
var encryptingCredentials = new EncryptingCredentials(signingKey, JwtConstants.DirectKeyUseAlg, SecurityAlgorithms.Aes256CbcHmacSha512);
            
// Create the JWT and write it to a string
var jwtSecurityToken = new JwtSecurityTokenHandler().CreateJwtSecurityToken(
    issuer: _configuration.GetSection("TokenAuthentication:Issuer").Value,
    audience: _configuration.GetSection("TokenAuthentication:Audience").Value,
    subject: new ClaimsIdentity(claims),
    notBefore: now,
    expires: now.Add(TimeSpan.FromMinutes(5)),
    now,
    signingCredentials: new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256),
    encryptingCredentials: encryptingCredentials
);

var encodedJwt = new JwtSecurityTokenHandler().WriteToken(jwtSecurityToken);

In a dotnet core service and I want to be able to decrypt the token in JavaScript. I've tried the solution from 'Decrypting signature and Veryifying JWT' but can't get further than 'Error: Malformed UTF-8 data'.

Is there a simple solution?

Sven.hig
  • 4,449
  • 2
  • 8
  • 18
Paul Grenyer
  • 1,713
  • 3
  • 30
  • 51
  • 2
    is there any reason to do it manually like in the linked q/a? Usually I would suggest to use one of the many [JWT libraries](https://jwt.io/#libraries-io). Btw. to get the payload data of a JWT you only have to **decode** the JWT, as it is just base64url **encoded**, **not encrypted** – jps Jun 23 '20 at 06:52
  • maybe you can try this function https://stackoverflow.com/questions/38552003/how-to-decode-jwt-token-in-javascript-without-using-a-library – Emon Jun 23 '20 at 06:54
  • Thanks. I've got no desire to do it by manually. I'm happy to use a library, in fact I'd prefer to. Just need to find one which works. Will take another look. – Paul Grenyer Jun 23 '20 at 07:03
  • 1
    why do you want to "decrypt" the JWT? What are you expecting to get from this and why? JWTs should just be treated as token that are passed to the server. There isn't anything for the client to do with them apart from pass them with their HTTP request? – Liam Jun 23 '20 at 07:40
  • 1
    @Liam that's true. And esp. when you're working with symmetric keys (like in the question), sharing the key on client side is a big no no! – jps Jun 23 '20 at 07:58
  • 1
    Ok, so perhaps lose the encryption? I want to decode the key to get claims, username, etc. – Paul Grenyer Jun 23 '20 at 08:04
  • @PaulGrenyer some libs allow decoding the token without verification. – jps Jun 23 '20 at 08:26
  • Thanks @Liam, this is the conclusion I've now come too. – Paul Grenyer Jun 23 '20 at 08:37

2 Answers2

1

There are many libraries you can use for this. The njwt is one of those.

It is important to understand how the JWT mechanism works. Cover some theory and this will save a lot of time debugging and hair-pulling.

However, whatever the library you use, you will have to pay close attention to the following matters in a production setup:

  1. Store the private key correctly and securely
  2. Load the private key securely using a key resolver

Here is a way to begin all that:

First, start with a hard-coded approach. Once you know that your token verification works, plan for storing your key securely and loading it using a key resolver (part of the above library) based on the kid standard claim.

Here is the core token verification without any of the above standard practices.

nJwt.verify(token,signingKey,function(err,verifiedJwt){
  if(err){
    console.log(err); // Token has expired, has been tampered with, etc
  }else{
    console.log(verifiedJwt); // Will contain the header and body
  }
});
Charlie
  • 22,886
  • 11
  • 59
  • 90
-1

Try to use this https://github.com/auth0/jwt-decode. You do not need to do there tricky stuff. Just put the string with JWT token as an argument to "jwt_decode" function.

Volodymyr Puzdriak
  • 145
  • 5