vibssingh

How to decode JWT Token with Auth0 in Java

HOME

Last Updated On

In this tutorial, we’ll learn how to decode a JWT using the Auth0 JWT Java Library.

To know how to create a JWT with Auth0, please refer this tutorial – Creating JWT with Auth0 in Java.

What is JWT Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

What is the JSON Web Token structure?

 JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header: Contains metadata about the token, such as the algorithm used.
 {
    "typ":"JWT",
    "alg":"HS256"
 }
  • Payload: Contains claims, like subject, issuer, expiration, etc.
{
  "sub":"test",
  "roles":"ROLE_ADMIN",
  "iss":"myself",
  "exp":1471086381
}
  • Signature: A cryptographic hash used to verify the token’s integrity.
HASHINGALGO( base64UrlEncode(header) + “.” + base64UrlEncode(payload),secret)

JSON Web Token

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0Iiwicm9sZXMiOiJST0xFX0FETUlOIiwiaXNzIjoibXlzZWxmIiwiZXhwIjoxNDcxMDg2MzgxfQ.1EI2haSz9aMsHjFUXNVz2Z4mtC0nMdZo6bo3-x-aRpw

Add the java-jwt dependency to the project:

 <dependency>
      <groupId>com.auth0</groupId>
      <artifactId>java-jwt</artifactId>
      <version>4.4.0</version>
 </dependency>

Implementation

1. The JWT.decode() method from the auth0 library decodes the token into its components without verifying the signature.

DecodedJWT decodedJWT = JWT.decode(jwtToken);

2. Retrieving Components:

Header: The Base64Url-encoded header.
Payload: The Base64Url-encoded payload.
Signature: The cryptographic signature.
getSubject() extracts the sub claim (subject).
getIssuer() extracts the iss claim (issuer).

String header = decodedJWT.getHeader();
String payload = decodedJWT.getPayload();
String signature = decodedJWT.getSignature();
String subject = decodedJWT.getSubject();
String issuer = decodedJWT.getIssuer();

3. The Base64.getUrlDecoder() decodes the Base64Url-encoded header and payload into human-readable JSON strings.

String decodedHeader = new String(java.util.Base64.getUrlDecoder().decode(header));
String decodedPayload = new String(java.util.Base64.getUrlDecoder().decode(payload));

Below is the complete code for JWT Token decode.

package com.example.JWT;
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;

public class JWTAuth0Decoder {

    public static void main(String[] args) {

        String jwtToken = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0Iiwicm9sZXMiOiJST0xFX0FETUlOIiwiaXNzIjoibXlzZWxmIiwiZXhwIjoxNDcxMDg2MzgxfQ.1EI2haSz9aMsHjFUXNVz2Z4mtC0nMdZo6bo3-x-aRpw";
        DecodedJWT decodedJWT = JWT.decode(jwtToken);

        // Retrieve header, payload, and signature
        String header = decodedJWT.getHeader();
        String payload = decodedJWT.getPayload();
        String signature = decodedJWT.getSignature();
        String subject = decodedJWT.getSubject();
        String issuer = decodedJWT.getIssuer();

        // Print each component
        System.out.println("Header (Base64): " + header);
        System.out.println("Payload (Base64): " + payload);
        System.out.println("Signature: " + signature);
        System.out.println("Subject: " + subject);
        System.out.println("Issuer: " + issuer);

        String decodedHeader = new String(java.util.Base64.getUrlDecoder().decode(header));
        String decodedPayload = new String(java.util.Base64.getUrlDecoder().decode(payload));

        System.out.println(" ****************** Decoded Values ******************* ");
        System.out.println("Decoded Header: " + decodedHeader);
        System.out.println("Decoded Payload: " + decodedPayload);

    }
}

The output of the above program is

Points to Consider:-

1. The DecodedJWT.getSubject() and DecodedJWT.getIssuer() methods already extract and decode the claims. The attempt to decode them manually as Base64 will fail. They are not separately Base64-encoded. They are JSON values embedded in the payload.

2. The header and payload are Base64Url-encoded, so you we decode them to get the full JSON structures.

3. The signature cannot be “decoded” because it is a hash. It can only be validated using the appropriate cryptographic key.

For more information on JWT Auth0, refer to this – https://github.com/auth0/java-jwt.

That’s it! Congratulations on making it through this tutorial and hope you found it useful! Happy Learning!!

Posted in JavaTagged , , , , , , Leave a comment

Leave a comment