Ability to inspect body of signed JWT

[nrktkt]

When attempting to read the body of a signed jwt without setting a key, an IllegalArgumentException is thrown. For example: Jwts.parser().parseClaimsJws(someJwtString).getBody().get("iss"). This makes sense, as it prevents users from ignoring signatures when they shouldn't.
However, sometimes it is useful to know some fields of the body before checking the signature. For example, if there are several possible issuers to a token, each with different signing keys or signature mechanisms. Addition of a method like parseUnsafe would grant the ability to inspect the body as well as alert the user (through the name) of the danger of the method. The user could then go back and parse the jwt as normal with signature checking.

[josebarrueta]

With the JJWT library you can already do this in a secure way, by setting a SigningKeyResolver

SigningKeyResolver resolver = new MySigningKeyResolver();

Jws<Claims> jws = Jwts.parser().setSigningKeyResolver(resolver).parseClaimsJws(compact);

The signature is still validated, and the JWT instance will still not be returned if the jwt string is invalid, as expected. You just get to 'see' the JWT data for key discovery before the parser validates.

As small sample of how to use it and look for the JwsHeader and/or Claims:

Jws<Claims> jws = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
        @Override
        public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
            //inspect the header or claims, lookup and return the signing key
            String keyId = header.getKeyId(); //or any other field that you need to inspect
            return getSigningKey(keyId); //implement me
        }})
    .parseClaimsJws(compact);

[nrktkt]

Perfect, thank you.
I should have searched the closed issues better before posting, so sorry about that.

[lhazlewood]

No worries! :)

[thiloplanz]

I am in the situation where a proxy should check the claims and expiration date of a signed token before passing it on. The proxy itself is not able to verify the signature, but I still want to be able to drop requests with invalid tokens (expired or missing claims).

Is there a good way to do that currently? Should I just strip off the signature part using String manipulation?

[ircecho]

We have a similar problem. In the client, we only want to check if the token is expired or not and display a more informative message. We do not really care if the token was manipulated at this point, since our backend does the real verification. What would be a good way to do it?

[lhazlewood]

int i = jws.lastIndexOf('.')
String withoutSignature = jws.substring(0, i+1);
Jwt<Header,Claims> untrusted = Jwts.parser().parseClaimsJwt(withoutSignature);

That should work until we figure out a way to (safely) make this available in the library.