Open iainmcgin opened 8 years ago
Hi @iainmcgin, I'd like to ever so humbly suggest that jose4j be considered for JWT decoding and validation in AppAuth . It's an open source JWT/JOSE library in Java that has extensive support for consuming and validating JWTs including being able to dynamically obtain public keys from an HTTPS endpoint like Connect's jwks_uri
.
jose4j looks like a good choice Brian, thanks for the suggestion! The solution for this issue may actually just be documentation rather than code, pointing developers at other libraries (such as yours) that can perform this task rather than baking it in to AppAuth itself. We'd like to keep the dependencies of AppAuth as minimal as possible.
Partially fixed by #385 - we will need to put in some extra work to expose the new [IdToken]() class as part of the public API. Right now it only holds the fields that are interesting for validation and discards the rest; storing the currently discarded claims as an "additionalClaims" map would be consistent with how we handle authorization requests etc.
Is IdToken available in latest release? (0.7.1)
Hi @iainmcgin , I am still unable to access IdToken class. My need is to use parseJwtSection(String acessToken) method to parse the role [] from the acessToken.
Do we have any way to do it in AppAuth? Thanks in advance!
Our codebase was relying on a separate library to extract this information. I just abandoned this library as it contained a bug, and I found it an extensive additional dependency just to do some JSON parsing which I now do as follows:
fun getUserId(token: String): UUID? {
val (_, payload, _) = accessToken.split('.')
val payloadString = String(
Base64.decode(payload, Base64.URL_SAFE or Base64.NO_WRAP or Base64.NO_PADDING),
Charset.defaultCharset()
)
val subjectPattern = Regex("\"sub\":\\s*\"([a-z0-9-]*)\"")
val subject = requireNotNull(subjectPattern.find(payloadString)?.groupValues?.get(1))
{ "Invalid JWT access token."}
return UUID.fromString(subject)
}
But, I'd prefer to replace this with the IdToken
functionality of this library once it is exposed in the API. So just a reminder this issue is still relevant. :)
@Whathecode, please, add imports. What minimal SDK does it require?
To access the claims you can do
authState.parsedIdToken.additionalClaims
See #759
Support validating JWTs and extracting their claims as a map. This will require the ability to either dynamically use the
jwks_uri
keys provided by the provider's discovery document, or a set of acceptable keys provided by the developer.