search

openid / AppAuth-Android

Android client SDK for communicating with OAuth 2.0 and OpenID Connect providers.
https://openid.github.io/AppAuth-Android
Apache License 2.0
2.77k stars 874 forks source link

Support JWT decoding and validation #25

Open iainmcgin opened 8 years ago

iainmcgin commented 8 years ago

Support validating JWTs and extracting their claims as a map. This will require the ability to either dynamically use the jwks_uri keys provided by the provider's discovery document, or a set of acceptable keys provided by the developer.

b---c commented 8 years ago

Hi @iainmcgin, I'd like to ever so humbly suggest that jose4j be considered for JWT decoding and validation in AppAuth . It's an open source JWT/JOSE library in Java that has extensive support for consuming and validating JWTs including being able to dynamically obtain public keys from an HTTPS endpoint like Connect's jwks_uri.

iainmcgin commented 8 years ago

jose4j looks like a good choice Brian, thanks for the suggestion! The solution for this issue may actually just be documentation rather than code, pointing developers at other libraries (such as yours) that can perform this task rather than baking it in to AppAuth itself. We'd like to keep the dependencies of AppAuth as minimal as possible.

iainmcgin commented 7 years ago

163 has some code for this, so I'll need to evaluate that against adding a dependency on jose4j. Looks like jose4j 0.5.5 is ~250KB, which is almost twice as big as AppAuth itself (currently ~120KB). It may still be better to leave token validation to code outwith the library.

iainmcgin commented 5 years ago

Partially fixed by #385 - we will need to put in some extra work to expose the new [IdToken]() class as part of the public API. Right now it only holds the fields that are interesting for validation and discards the rest; storing the currently discarded claims as an "additionalClaims" map would be consistent with how we handle authorization requests etc.

v-khatri commented 4 years ago

Is IdToken available in latest release? (0.7.1)

sunilkumarjena21 commented 4 years ago

Hi @iainmcgin , I am still unable to access IdToken class. My need is to use parseJwtSection(String acessToken) method to parse the role [] from the acessToken.

Do we have any way to do it in AppAuth? Thanks in advance!

Whathecode commented 2 years ago

Our codebase was relying on a separate library to extract this information. I just abandoned this library as it contained a bug, and I found it an extensive additional dependency just to do some JSON parsing which I now do as follows:

fun getUserId(token: String): UUID? {
    val (_, payload, _) = accessToken.split('.')
    val payloadString = String(
        Base64.decode(payload, Base64.URL_SAFE or Base64.NO_WRAP or Base64.NO_PADDING),
        Charset.defaultCharset()
    )
    val subjectPattern = Regex("\"sub\":\\s*\"([a-z0-9-]*)\"")
    val subject = requireNotNull(subjectPattern.find(payloadString)?.groupValues?.get(1))
        { "Invalid JWT access token."}

    return UUID.fromString(subject)
}

But, I'd prefer to replace this with the IdToken functionality of this library once it is exposed in the API. So just a reminder this issue is still relevant. :)

CoolMind commented 1 year ago

@Whathecode, please, add imports. What minimal SDK does it require?

CoolMind commented 1 year ago

See https://stackoverflow.com/questions/37695877/how-can-i-decode-jwt-token-in-android.

dr-star commented 4 days ago

To access the claims you can do 

authState.parsedIdToken.additionalClaims

See #759