0

I am working on some oauth authentication and I have received a response in this format:

{ "access_token": "+Bx8TPv3p0ieWchU7pphuKpBIxOXjadioiZRkMjneS4=", "token_type": "Bearer", "id_token": "eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTUyMSIsIngiOiJBZmhGRVpsanZwSTFhYXIybDJzblB6d3ROakZkVTZtUTlnUk13YnQ3aDlzWGVOTkF1VVBkSlE5ci1nbWN1eVBfRDNEVG8xY212SGI1SGIzTmFFYjJMMEEwIiwieSI6IkFDVk1Lc3JWMUZsMWtWdGlMX2o2b2JRU1V6bGpMTU5pSmZqWmRINk5rOXN3TG1XREdoTEhPWllBLUFsSUlSd1JJbGZYNwia2lkIjoicG1zX3N0Z18wMiIsImN0eSI6IkpXVCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJhbGciOiJFQ0RILUVTK0EyNTZLVyJ9.NVv3Ksn90oxZhvMpU-qOFzNBB1lCs1dwnOdPRzfB-6nTgyGTBYs_KeszSfpsDBN7S_ZyM_TQJKyCJ75etegML0hI_p8IJUSs.msWjFQBaRre2q0KNTy7Bbg.QjfDpJJxHBrYscJOhMd8kA32KCibdcfPg0Zd2CuT6zLVjtHJj6zTJTISxu1iWx-m-yfZEcyeWb8aZ7Avtpv1oIIXUu2QyVCP_x5qh2WCw337P-o-2kYm1IrOPTEO_oFiXU-FIoN_OiPLfFaxPI4usmIazJGfv_P9rnYnT1wmpAs0Fvv8PzmR2lA1ftTfoj_vKpNTbCXHJL2k8HmlfgoRxc2Bvs-3IMUa-BdrcUVYaxZVEcj8jrE75ZrscVdAWIu-T5Fq1tlpLgNhRKzdJIsW6D3yH_28Dx5V5Ylc5erLWdXi3BsLjl96_QCoAwo9HCRu_QH6L86zy5qA64ywnyP5ZxqlNpgoMwYSrtI7eKnKENYe84nbSVbE-e-bY4Fp1MeYqbL5WHmL5Q3DhjtVX6KC5NGJXozYLHziS2IKIq1vcrPvCoe1Hvw77SjlzkjH11odDYU38KTmgDSNhAxi02NYWND-c78DzTtgq4VTFcSkyN_a_CUfMNC2OPqImztB1zJ1u361gdZztL0dHs1Q5HINmFXLGPiC3VgSzvOkpUUrtmdcUCcHRT8YLkKLfvwmqPdqC41txIlYcw7pAR_DgCtjmdQVAgWtPFsWoAWKi6ONJf8.EYsQawh1gIjejXQeo3119RZ6XioO2tWVC3jhEQPr184" }

The id_token is supposed to be just a jwt token. However if I put the token into jwt.io, it says invalid json object.

I have checked with my vendor and he said the id_token has been encrypted with this public jwks key (enc) at this link that I have created for my vendor. http://singpasslogin.herokuapp.com/jwks

Since this id_token has been encrypted, how could I now decrypt it, I am using jsonwebtoken but somehow I could not find any related method that I could use to decrypt it.

Normally we would do something like this to get the payload but this is not working now.

jwt.verify(
  response.data.id_token,
  privatekey,
  { algorithms: ['ES512'] },
  (error, payload) => {
    if (error) {
      console.log(error)
    } else {
      console.log(payload)
    }
  }
)

Now that the id_token is encrypted, how should I now read this id_token? My vendor said the name of user is in the id_token of the response that I received but somehow I do not know how to read it.

Any help or explanation would be greatly appreciated.

Daryl Wong
  • 2,023
  • 5
  • 28
  • 61
  • The `access_token` that you show above is no JWT., but the `id_token` is a normal JWT, it's not encrypted and I don't get any errors when I paste it to jwt.io. It's signed with `ES256` and you need the matching public key to verify it. – jps Mar 08 '21 at 10:11
  • @jps the one that I have here is just an example, I have replaced with with the real token that I received. Now if you paste it in again, you will see the error. – Daryl Wong Mar 08 '21 at 10:13
  • 2
    that's a JWE (encrypted JWT). You can't decode it on jwt.io. The jsonwebtoken package doesn't support JWE, look into https://github.com/panva/jose – jps Mar 08 '21 at 10:21
  • @jps, my vendor did mention something like jose, let me check. – Daryl Wong Mar 08 '21 at 10:24
  • or this one: https://github.com/cisco/node-jose – jps Mar 08 '21 at 10:53
  • @jps I am looking at using node-jose, there is something called the keystore, do you know how can I get the keystore? – Daryl Wong Mar 08 '21 at 12:37
  • 1
    @jps, got it, I have managed to get the decrypted payload using this package https://github.com/panva/jose – Daryl Wong Mar 08 '21 at 22:47

0 Answers0