1. JWT Token Overview
This section displays the claims that will be signed and base64-encoded into a complete JSON Web Token. Signed JSON Web Token Key. Generate 32-byte key; Generate 64-byte key; Generate 128-byte key; Base64-encode the token Copy JWT to Clipboard. In this Apigee Edge 4MV4D, Find out how to Generate JWT Token using Google's Apigee Edge API Management Platform to secure your APIs.Q&A: https://community.a.
JSON Web Token (JWT) is an open standard defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens. Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties. When tokens signs using public/private key pairs, the signature also certifies that only the party holding the private key is the one signed it.
1.1 What is JSON Web Token (JWT) Structure?
JWT tokens consist of 3 parts separated by a period ( . ).
These parts are:
- Header
- Payload
- Signature
The JWT typically looks like:
2. Setting up JJWT library
To start using JJWT library for JWT generation, add following dependencies in your build.gradle file.
Alternatively if using Maven, add following dependencies in pom.xml
3. Create JWT Token
Jwts.builder()
is used to create a JWT token. We can specify claims, subject and other JWT attribute.
Generated JWT Token:
The above code to generate JWT is pretty self-explanatory however let’s check step by step how are we generating JWT token:
- Add claims
name
andemail
with valueJane Doe
and[email protected]
respectively - Add subject in JWT token with value
jane
- Set Id for the JWT token using randomly generate GUID
- Set issued at to current time
- Set expiration to current time plus 5 minutes. So the JWT is valid for only 5 minutes
The JWT generated above is not signed (Check algorithm alg
attribute in the header). We have just encoded the claims in JSON format. If using JWT for authentication or authorization it is advisable to Sign the JWT, so it can be verified.
4. Validate/Parse JWT Token
To validate or parse the JWT token, Jwts.parserBuilder()
method is used.
While parsing the JWT token we need to pass Signing key to verify the JWT signature. Let us see how to sign the JWT token using different algorithms.
5. Create and Validate JWT Token Signed using HMAC Secret
The simplest way of creating a signed JWT token is by using HMAC secret. HMAC stands for hash-based message authentication code and is cryptographic hash function. It is used to simultaneously verify both the data integrity and the authenticity of a token.
5.1 Create JWT Token signed with HMAC
To create JWT token signed with HMAC shared secret, we need to specify signature using .signWith() method.
Generated JWT Token:
5.2 Validate/Parse JWT Token signed with HMAC
To validate/parse the JWT token generated using HMAC shared secret, the same steps can be applied. We need to use setSigningKey()
method to set the key before we parse the JWT token.
Output:
If the JWT token expires (exp
claim value is less than current system time), the parseClaimsJws() method will throw SignatureException
.
6. Create and Validate JWT Token Signed using RSA Private Key
When using JWT token for microservice authentication/authorization it is advisable to sign with RSA Private/Public Keys instead of using Shared HMAC Secret. The token is generated and signed by a central authority (usually an Authorization Server) and each microservice can validate the JWT token using the Public Key exposed from Authorization Server.
Before we see how to generate JWT token with Private/Public key, let us see how to generate a Private and Public RSA Key pairs.
6.1 Generate Private and Public RSA Key
Generate an RSA private key, of size 2048, and output it to a file named key.pem:
Generate Jwt Token With Private Key Python
Extract the public key from the key pair, which can be used in a certificate:
The key.pem
file contains the private key generated using RSA and public.pem
file contains public key.
6.2 Create JWT Token signed with RSA
Following code snippets shows how to generate JWT Token Signed using RSA.
Generated JWT Token:
For simplicity the Private Key is hard coded in above example. However, in real production system it will be loaded from environment variable, or a secret vault (Hashicorp Vault or AWS Parameter Store).
Generate Jwt Token With Private Key Online
In above example the method getPrivateKey()
gets the java.security.PrivateKey
which is then used in Jwts.builder
to sign the JWT token using Private key.
6.3 Validate/Parse JWT Token signed with RSA Private/Public Keys
Next, let us validate and parse the JWT signed using RSA. For that we will need Public Key instance in java.security.PublicKey
format which Jwts.parserBuilder
will use to validate the JWT.
Output:
In above example, we have hardcoded the Public Key. In a production system, it is usually configured through environment variable or service configuration.
7. Source Code – Generate and Validate JWT Tokens using Java & JJWT
Source code for the Creating and Validating JWT token in Java.
Github – source code
In this article we will see how we can create and sign a JWT token with the RS256 algorithm. This function is complementary to the validate function I posted some time ago.
Here is the Sign(...)
function that can create a RS256 signed JWT token. It makes use of the BouncyCastle library. It is available as a NuGet package with version 1.8.1.
Here are some helper functions used in the above snippet.
The helper functions are the same ones found in the validate function.
This function is based on the code snippet found in this SO question.
Generate Jwt Token With Keypad
Update 1: You can check this post here, where I have created a C# library that manages Jwt tokens.
Generate Jwt Token With Secret Key
Update 2: If you are having trouble making your keys work, have a look in my Check your RSA private and public keys post and make sure to check the Additional Resources section as well