Professional Documents
Culture Documents
JWT Decode Vs Verify
JWT Decode Vs Verify
* [Inspecting a DecodedJWT](#inspecting-a-decodedjwt)
* [DateTime Claim Validation](#datetime-claim-validation)
* [Using custom claims](#using-custom-claims)
* [Using a KeyProvider](#using-a-keyprovider)
## Inspecting a DecodedJWT
The successful verification of a JWT returns a `DecodedJWT`, from which you can
obtain its contents.
```java
DecodedJWT jwt = JWT.require(algorithm)
.build()
.verify("a.b.c");
A JWT token may include DateNumber fields that can be used to validate that:
When verifying a JWT, the standard DateTime claims are validated by default. A
`JWTVerificationException` is thrown if any of the claim values are invalid.
To specify a **leeway** in which the JWT should still be considered valid, use the
`acceptLeeway()` method in the `JWTVerifier` builder and pass a positive seconds
value. This applies to every item listed above.
```java
JWTVerifier verifier = JWT.require(algorithm)
.acceptLeeway(1) // 1 sec for nbf, iat and exp
.build();
```
You can also specify a custom value for a given DateTime claim and override the
default one for only that claim.
```java
JWTVerifier verifier = JWT.require(algorithm)
.acceptLeeway(1) //1 sec for nbf and iat
.acceptExpiresAt(5) //5 secs for exp
.build();
```
If you need to test this behavior in your application, cast the `Verification`
instance to a `BaseVerification` to gain visibility of the `verification.build()`
method that accepts a `java.time.Clock`. e.g.:
```java
BaseVerification verification = (BaseVerification) JWT.require(algorithm)
.acceptLeeway(1)
.acceptExpiresAt(5);
private final Clock mockNow = Clock.fixed(Instant.ofEpochSecond(1477592),
ZoneId.of("UTC"));
JWTVerifier verifier = verification.build(clock);
```
```java
String jwt = JWT.create()
.withHeader(headerMap)
.withClaim("string-claim", "string-value")
.withClaim("number-claim", 42)
.withClaim("bool-claim", true)
.withClaim("datetime-claim", Instant.now())
.sign(algorithm);
```
```java
JWTVerifier verifier = JWT.require(algorithm)
.withClaim("number-claim", 123)
.withClaimPresence("some-claim-that-just-needs-to-be-present")
.withClaim("predicate-claim", (claim, decodedJWT) -> "custom
value".equals(claim.asString()))
.build();
DecodedJWT jwt = verifier.verify("my.jwt.token");
```
## Using a KeyProvider
A `KeyProvider` can be used to obtain the keys needed for signing and verifying a
JWT. How these keys are constructed are beyond the scope of this library, but the
[jwks-rsa-java](https://github.com/auth0/jwks-rsa-java) library provides the
ability to obtain the public key from a JWK.
The example below demonstrates this for the RSA algorithm (`ECDSAKeyProvider` can
be used for ECDSA).
```java
JwkProvider provider = new JwkProviderBuilder("https://samples.auth0.com/")
.cached(10, 24, TimeUnit.HOURS)
.rateLimited(10, 1, TimeUnit.MINUTES)
.build();
final RSAPrivateKey privateKey = // private key
final String privateKeyId = // private key ID
@Override
public RSAPrivateKey getPrivateKey() {
// return the private key used
return rsaPrivateKey;
}
@Override
public String getPrivateKeyId() {
return rsaPrivateKeyId;
}
};