Support JWT decoding and validation

[iainmcgin]

Support validating JWTs and extracting their claims as a map. This will require the ability to either dynamically use the jwks_uri keys provided by the provider's discovery document, or a set of acceptable keys provided by the developer.

[b---c]

Hi @iainmcgin, I'd like to ever so humbly suggest that jose4j be considered for JWT decoding and validation in AppAuth . It's an open source JWT/JOSE library in Java that has extensive support for consuming and validating JWTs including being able to dynamically obtain public keys from an HTTPS endpoint like Connect's jwks_uri.

[iainmcgin]

jose4j looks like a good choice Brian, thanks for the suggestion! The solution for this issue may actually just be documentation rather than code, pointing developers at other libraries (such as yours) that can perform this task rather than baking it in to AppAuth itself. We'd like to keep the dependencies of AppAuth as minimal as possible.

[iainmcgin]

#163 has some code for this, so I'll need to evaluate that against adding a dependency on jose4j. Looks like jose4j 0.5.5 is ~250KB, which is almost twice as big as AppAuth itself (currently ~120KB). It may still be better to leave token validation to code outwith the library.

[iainmcgin]

Partially fixed by #385 - we will need to put in some extra work to expose the new IdToken class as part of the public API. Right now it only holds the fields that are interesting for validation and discards the rest; storing the currently discarded claims as an "additionalClaims" map would be consistent with how we handle authorization requests etc.

[v-khatri]

Is IdToken available in latest release? (0.7.1)

[sunilkumarjena21]

Hi @iainmcgin ,
I am still unable to access IdToken class.
My need is to use parseJwtSection(String acessToken) method to parse the role [] from the acessToken.

Do we have any way to do it in AppAuth?
Thanks in advance!

[Whathecode]

Our codebase was relying on a separate library to extract this information. I just abandoned this library as it contained a bug, and I found it an extensive additional dependency just to do some JSON parsing which I now do as follows:

fun getUserId(token: String): UUID? {
    val (_, payload, _) = accessToken.split('.')
    val payloadString = String(
        Base64.decode(payload, Base64.URL_SAFE or Base64.NO_WRAP or Base64.NO_PADDING),
        Charset.defaultCharset()
    )
    val subjectPattern = Regex("\"sub\":\\s*\"([a-z0-9-]*)\"")
    val subject = requireNotNull(subjectPattern.find(payloadString)?.groupValues?.get(1))
        { "Invalid JWT access token."}

    return UUID.fromString(subject)
}

But, I'd prefer to replace this with the IdToken functionality of this library once it is exposed in the API. So just a reminder this issue is still relevant. :)

[CoolMind]

@Whathecode, please, add imports. What minimal SDK does it require?

[CoolMind]

See https://stackoverflow.com/questions/37695877/how-can-i-decode-jwt-token-in-android.

[dr-star]

To access the claims you can do

authState.parsedIdToken.additionalClaims

See #759