Auth0

vibssingh

How to generate an access token and pass to another request in Postman?

Last Updated On

HOME

Generating and passing an access token in Postman involves a few steps, typically for use with APIs that require authentication. 

Implementation Steps

Step 1: Create a Request to Generate the Auth Token

  1. Open Postman and create a new request (e.g., POST/token).
  2. Enter the API endpoint that generates the token.
  3. Go to the Body tab → select raw → choose JSON → add the request body.
  4. Send the request.
  5. In the response, you’ll usually get a JSON with the access_token:

Step 2: Save the Token in an Environment Variable

After sending the request, go to the Scripts tab (next to Body/Headers).

Add the below script to capture and store the token:

pm.environment.set("TOKEN", pm.response.json().access_token)

Create a new Environment in Postman (top right → Environments → Add

Save the request.

Step 3: Use the Token in Another Request

  1. Create a new request.
  2. Go to the Headers tab.
  3. Add this header:
Key: Authorization
Value: Bearer {{Token}}

Send the request — Postman will automatically insert the token from the environment variable.

Quick Troubleshooting Checklist

1.Is the token saved correctly in environment variables? Token saved in one environment, but request uses another. Make sure you’ve selected the same environment (top-right dropdown in Postman).

2. Is the Authorization: Bearer {{Token}} header present?

3. Does the account have the correct permissions/scopes? Token is valid, but the user doesn’t have permission for that endpoint. Verify that your account has the right role/permissions.

4. Correct Content-Type is sent. Set header → Content-Type: application/json.

vibssingh

How to decode JWT Token with Auth0 in Java

HOME

Last Updated On

In this tutorial, we’ll learn how to decode a JWT using the Auth0 JWT Java Library.

To know how to create a JWT with Auth0, please refer this tutorial – Creating JWT with Auth0 in Java.

What is JWT Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

What is the JSON Web Token structure?

 JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header: Contains metadata about the token, such as the algorithm used.
 {
    "typ":"JWT",
    "alg":"HS256"
 }
  • Payload: Contains claims, like subject, issuer, expiration, etc.
{
  "sub":"test",
  "roles":"ROLE_ADMIN",
  "iss":"myself",
  "exp":1471086381
}
  • Signature: A cryptographic hash used to verify the token’s integrity.
HASHINGALGO( base64UrlEncode(header) + “.” + base64UrlEncode(payload),secret)

JSON Web Token

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0Iiwicm9sZXMiOiJST0xFX0FETUlOIiwiaXNzIjoibXlzZWxmIiwiZXhwIjoxNDcxMDg2MzgxfQ.1EI2haSz9aMsHjFUXNVz2Z4mtC0nMdZo6bo3-x-aRpw

Add the java-jwt dependency to the project:

 <dependency>
      <groupId>com.auth0</groupId>
      <artifactId>java-jwt</artifactId>
      <version>4.4.0</version>
 </dependency>

Implementation

1. The JWT.decode() method from the auth0 library decodes the token into its components without verifying the signature.

DecodedJWT decodedJWT = JWT.decode(jwtToken);

2. Retrieving Components:

Header: The Base64Url-encoded header.
Payload: The Base64Url-encoded payload.
Signature: The cryptographic signature.
getSubject() extracts the sub claim (subject).
getIssuer() extracts the iss claim (issuer).

String header = decodedJWT.getHeader();
String payload = decodedJWT.getPayload();
String signature = decodedJWT.getSignature();
String subject = decodedJWT.getSubject();
String issuer = decodedJWT.getIssuer();

3. The Base64.getUrlDecoder() decodes the Base64Url-encoded header and payload into human-readable JSON strings.

String decodedHeader = new String(java.util.Base64.getUrlDecoder().decode(header));
String decodedPayload = new String(java.util.Base64.getUrlDecoder().decode(payload));

Below is the complete code for JWT Token decode.

package com.example.JWT;
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;

public class JWTAuth0Decoder {

    public static void main(String[] args) {

        String jwtToken = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0Iiwicm9sZXMiOiJST0xFX0FETUlOIiwiaXNzIjoibXlzZWxmIiwiZXhwIjoxNDcxMDg2MzgxfQ.1EI2haSz9aMsHjFUXNVz2Z4mtC0nMdZo6bo3-x-aRpw";
        DecodedJWT decodedJWT = JWT.decode(jwtToken);

        // Retrieve header, payload, and signature
        String header = decodedJWT.getHeader();
        String payload = decodedJWT.getPayload();
        String signature = decodedJWT.getSignature();
        String subject = decodedJWT.getSubject();
        String issuer = decodedJWT.getIssuer();

        // Print each component
        System.out.println("Header (Base64): " + header);
        System.out.println("Payload (Base64): " + payload);
        System.out.println("Signature: " + signature);
        System.out.println("Subject: " + subject);
        System.out.println("Issuer: " + issuer);

        String decodedHeader = new String(java.util.Base64.getUrlDecoder().decode(header));
        String decodedPayload = new String(java.util.Base64.getUrlDecoder().decode(payload));

        System.out.println(" ****************** Decoded Values ******************* ");
        System.out.println("Decoded Header: " + decodedHeader);
        System.out.println("Decoded Payload: " + decodedPayload);

    }
}

The output of the above program is

Points to Consider:-

1. The DecodedJWT.getSubject() and DecodedJWT.getIssuer() methods already extract and decode the claims. The attempt to decode them manually as Base64 will fail. They are not separately Base64-encoded. They are JSON values embedded in the payload.

2. The header and payload are Base64Url-encoded, so you we decode them to get the full JSON structures.

3. The signature cannot be “decoded” because it is a hash. It can only be validated using the appropriate cryptographic key.

For more information on JWT Auth0, refer to this – https://github.com/auth0/java-jwt.

That’s it! Congratulations on making it through this tutorial and hope you found it useful! Happy Learning!!

vibssingh

Creating JWT with Auth0 in Java

HOME

Last Updated On

In this tutorial, we’ll learn how to create a JWT using the Auth0 JWT Java Library.

Table of Contents

  1. What is JWT Token?
  2. What is the JSON Web Token structure?
  3. Why Use JWT in Java Applications?
  4. Implementation
    1. Explanation of Claims and Methods
    2. Custom Claims
    3. Standard Claims
    4. sign(algorithm)

What is JWT Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

What is the JSON Web Token structure?

 JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header: Contains metadata about the token, such as the algorithm used.
 {
    "typ":"JWT",
    "alg":"HS256"
 }
  • Payload: Contains claims, like subject, issuer, expiration, etc.
{
  "iss": "QA_Automation",
  "sub": "QA_Automation Details",
  "userId": "9821",
  "roles": "ROLE_ADMIN",
  "scope": "read write",
  "iat": 1680000000,
  "exp": 1680000100,
  "jti": "uuid-guid",
  "nbf": 1680000001
}
  • Signature: A cryptographic hash used to verify the token’s integrity.
HASHINGALGO( base64UrlEncode(header) + “.” + base64UrlEncode(payload),secret)

Why Use JWT in Java Applications?

1. Stateless Authentication: JWTs allow for stateless authentication, meaning the server doesn’t need to store user session information. This scalability and reduced server-side storage make JWTs advantageous for distributed systems.

2. Performance: Since JWTs are stateless, server-side lookup is eliminated. It Reduces server load and Improves response times for authenticated requests.

3. Interoperability: JWTs are designed to work across different technologies and systems. This interoperability is particularly useful in microservices architectures, where services may be implemented in different languages.

4. Cross-Domain Authentication: JWTs work well for Single Sign-On (SSO) and cross-domain authentication since they are independent of the application’s storage mechanisms.Users can log in once and access multiple applications without repeatedly authenticating.

 5. Secure Data Transfer: The use of signatures in JWTs ensures that the data has not been tampered with during transmission. This provides a level of security when exchanging information between the client and server. Ensures token integrity with algorithms like HS256 (HMAC) or RS256 (RSA).

6. Expiration and Revocation: JWTs include an exp (expiration) claim and can include a revocation mechanism via blacklists. Tokens expire automatically after a set time.

7. Flexibility with Custom Claims: JWT allows adding custom claims like user roles, permissions, or metadata. Tailor the token to your application’s needs.

Add the java-jwt dependency to the project:

 <dependency>
      <groupId>com.auth0</groupId>
      <artifactId>java-jwt</artifactId>
      <version>4.4.0</version>
 </dependency>

Implementation

1. Create an instance of the Algorithm class. In this tutorial, we’ll use the HMAC256 algorithm to sign our JWT:

Algorithm algorithm = Algorithm.HMAC256("qa-automation-expert-details");

2. To create a JWT, we use the JWT.create() method. The method returns an instance of the JWTCreator.Builder class. We will use this Builder class to build the JWT token by signing the claims using the Algorithm instance:

Explanation of Claims and Methods:
  1. withIssuer(“QA_Automation”): Adds the iss (issuer) claim, identifying the source of the token.
  2. withSubject(“QA_Automation Details”): Adds the sub (subject) claim, describing the token’s purpose or context (e.g., user or system identity).
.withIssuer("QA_Automation")
.withSubject("QA_Automation Details")
Custom Claims:
  1. withClaim(“userId”, “9821”): Adds a custom userId claim to identify the user.
  2. withClaim(“roles”, “ROLE_ADMIN”): Adds a custom roles claim, defining user roles (e.g., ROLE_ADMIN).
  3. withClaim(“scope”, “read write”): Adds a custom scope claim, specifying allowed actions.
.withClaim("userId", "9821")
.withClaim("roles", "ROLE_ADMIN")
.withClaim("scope", "read write")
Standard Claims:
  1. withIssuedAt(new Date()): Sets the iat (issued at) claim to the current timestamp, indicating when the token was created.
  2. withExpiresAt(new Date(System.currentTimeMillis() + 10000L)): Sets the exp (expiration) claim to 10 seconds from the current time. After this, the token will no longer be valid.
  3. withJWTId(UUID.randomUUID().toString()): Adds a unique identifier (jti claim) for the token using a random UUID.
  4. withNotBefore(new Date(System.currentTimeMillis() + 100L)): Adds the nbf (not before) claim, setting the token to be valid 100 milliseconds in the future.
 .withIssuedAt(new Date())
 .withExpiresAt(new Date(System.currentTimeMillis() + 10000L))
.withJWTId(UUID.randomUUID().toString())
.withNotBefore(new Date(System.currentTimeMillis() + 100L))
sign(algorithm)

Signs the JWT using the specified algorithm (HMAC256 with the given secret key). The output is the final Base64Url-encoded JWT.

.sign(algorithm);

Below is the complete code to create a JWT Token.

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.util.Date;
import java.util.UUID;

public class JWTTokenGenerator {

    public static void main(String[] args) {

        Algorithm algorithm = Algorithm.HMAC256("qa-automation-expert-details");

        String jwtToken = JWT.create()
                .withIssuer("QA_Automation")
                .withSubject("QA_Automation Details")
                .withClaim("userId", "9821")
                .withClaim("roles", "ROLE_ADMIN")
                .withClaim("scope", "read write")
                .withIssuedAt(new Date())
                .withExpiresAt(new Date(System.currentTimeMillis() + 10000L))
                .withJWTId(UUID.randomUUID()
                        .toString())
                .withNotBefore(new Date(System.currentTimeMillis() + 100L))
                .sign(algorithm);

        System.out.println("jwtToken :" + jwtToken);
    }

}

The output of the above program is

Points to Consider:-

  1. Expiration: Tokens are set to expire (exp) after 10 seconds. This prevents misuse over time.
  2. Not Before: The nbf claim ensures the token is not valid until 100 milliseconds after creation.
  3. Claims: Custom claims like userId, roles, and scope allow encoding specific information for the application.
  4. JWT ID: The jti claim ensures token uniqueness.

That’s it! Congratulations on making it through this tutorial and hope you found it useful! Happy Learning!!