{"id":87471,"date":"2019-01-28T09:33:19","date_gmt":"2019-01-28T07:33:19","guid":{"rendered":"http:\/\/www.javacodegeeks.com\/?p=87471"},"modified":"2019-02-04T09:25:10","modified_gmt":"2019-02-04T07:25:10","slug":"tutorial-create-verify-jwts-java","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2019\/01\/tutorial-create-verify-jwts-java.html","title":{"rendered":"Tutorial: Create and Verify JWTs in Java"},"content":{"rendered":"

\u201cI love writing authentication and authorization code.\u201d ~ No Java Developer Ever.<\/b> Tired of building the same login screens over and over? Try the Okta API for hosted authentication, authorization, and multi-factor auth.<\/a><\/span><\/p>\n

Java support for JWT (JSON Web Tokens) used to require a lot of work: extensive customization, hours lost resolving dependencies, and pages of code just to assemble a simple JWT. Not anymore!<\/p>\n

This tutorial will show you how to use an existing JWT library to do two things:<\/p>\n

    \n
  1. Generate a JWT<\/li>\n
  2. Decode and verify a JWT<\/li>\n<\/ol>\n

    You\u2019ll notice the tutorial is pretty short. That\u2019s because it\u2019s that easy. If you\u2019d like to dig deeper, take a look at the JWT Spec<\/a> or dive into this longer post<\/a> about using JWTs for token authentication in Spring Boot apps.<\/p>\n

    What are JWTs?<\/h2>\n

    JSON Web Tokens are JSON objects used to send information between parties in a compact and secure manner. The JSON spec<\/a>, or Javascript Object Notation, defines a way of creating plain text objects using key value pairs. It\u2019s a compact way of structuring data built upon primitive types (numbers, strings, etc\u2026). You\u2019re probably already pretty familiar with JSON. It\u2019s like XML without all the brackets.<\/p>\n

    Tokens can be used to send arbitrary state between parties. Often here \u201cparties\u201d means a client web application and a server. JWTs have many uses: authentication mechanism, url-safe encoding, securely sharing private data, interoperability, data expiration, etc.<\/p>\n

    In practice, this information is often about two things: authorization and session state. JWTs can be used by a server to tell the client app what actions the user is allowed to execute (or what data they are allowed to access).<\/p>\n

    JWTs are often also used to store state-dependent user data for a web session. Because the JWT is passed back and forth between the client app and the server, it means that state data does not have to be stored in a database somewhere (and subsequently retrieved on every request); because of this, it scales well.<\/p>\n

    Let\u2019s take a look at an example JWT (taken from jsonwebtoken.io<\/a>)<\/p>\n

    \n
    \"JWTs<\/figure>\n<\/div>\n

    JWTs have three parts: a header, a body, and a signature. The header contains info on how the JWT is encoded. The body is the meat<\/em> of the token (where the claims<\/strong> live). The signature provides the security.<\/p>\n

    There\u2019s a lot of detail we\u2019re not going to go into here regarding how tokens are encoded and how information is stored in the body. Check out the previously mentioned tutorial<\/a> if you want.<\/p>\n

    Don\u2019t forget:<\/strong> cryptographic signatures do not provide confidentiality; they are simply a way of detecting tampering with a JWT, and unless a JWT is specifically encrypted, they are publicly visible. The signature simply provides a secure way of verifying the contents.<\/p>\n

    Great. Got it? Now you need to make a token with JJWT! For this tutorial, we\u2019re using an existing JWT library. Java JWT<\/a> (a.k.a., JJWT) was created by Les Hazlewood<\/a> (lead committer to Apache Shiro, former co-founder and CTO at Stormpath, and currently Okta\u2019s very own Senior Architect), JJWT is a Java library that simplifies JWT creation and verification. It is based exclusively on the JWT<\/a>, JWS<\/a>, JWE<\/a>, JWK<\/a> and JWA<\/a> RFC specifications and open source under the terms of the Apache 2.0 License<\/a>. The library also adds some nice features to the spec, such as JWT compression and claims enforcement.

    <\/div> <\/div><\/p>\n

    Generate a Token in Java<\/h2>\n

    This parts super easy. Let\u2019s look at some code. Clone the GitHub repo<\/a>:<\/p>\n

     git clone https:\/\/github.com\/oktadeveloper\/okta-java-jwt-example.git \n cd okta-java-jwt-example<\/pre>\n
    This example is pretty basic, and contains a src\/main\/java\/JWTDemo.java<\/code> class file with two static methods: createJWT()<\/code>and decodeJWT()<\/code>. Cunningly enough, these two methods create a JWT and decode a JWT. Take a look at the first method below.<\/p>\n
    public static String createJWT(String id, String issuer, String subject, long ttlMillis) {\n  \n    \/\/The JWT signature algorithm we will be using to sign the token\n    SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;\n\n    long nowMillis = System.currentTimeMillis();\n    Date now = new Date(nowMillis);\n\n    \/\/We will sign our JWT with our ApiKey secret\n    byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary(SECRET_KEY);\n    Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());\n\n    \/\/Let's set the JWT Claims\n    JwtBuilder builder = Jwts.builder().setId(id)\n            .setIssuedAt(now)\n            .setSubject(subject)\n            .setIssuer(issuer)\n            .signWith(signatureAlgorithm, signingKey);\n  \n    \/\/if it has been specified, let's add the expiration\n    if (ttlMillis > 0) {\n        long expMillis = nowMillis + ttlMillis;\n        Date exp = new Date(expMillis);\n        builder.setExpiration(exp);\n    }  \n  \n    \/\/Builds the JWT and serializes it to a compact, URL-safe string\n    return builder.compact();\n}\n<\/pre>\n
    To summarize, the createJWT()<\/code> method does the following:<\/p>\n