A discussion on how we want to get data from token header and payload.

[joshbaskaran]

The way that data from payload and header of a token were gotten in the older versions of our code base like Clearinghouse, sda-doa and tsd related services were like(used com.auth0.jwt) v1.1.2:

var decodedToken = JWT.decode(visaToken);
var jku = decodedToken.getHeaderClaim(JKU).asString();
var keyId = decodedToken.getKeyId();
var jwk = JWKProvider.INSTANCE.get(jku, keyId);

when we changed the library to io.jsonwebtoken we imitate the same behavior in the first version(v1.2.0) after changing the lib:

var tokenArray = visaToken.split("[.]");
var token = tokenArray[0] + "."  + tokenArray[1] + ".";
var jwt = Jwts.parserBuilder().build().parseClaimsJwt(token);
var jku = jwt.getHeader().get(JKU).toString();
var keyId = jwt.getHeader().get("kid").toString();
var jwk = JWKProvider.INSTANCE.get(jku, keyId);

and all the changes later are also similar to this approach. io.Jsonwebtoken wants public key to get data from token and we should consider it and make a decision if a refactor is necessary.

[joshbaskaran]

Converting this to an issue to keep track of comments.

I personally think we should refactor to using the pub key. Mostly because, in our code, we skip signature verification. Meaning, a third party can alter the Header/payload part here before we get it and we will simply parse the JWT and continue. This makes us susceptible to man in the middle attacks. Regardless of the likelihood of the likelihood of it happening, it is a vulnerability that could be exploited, especially given that this code is public.