java - Verification key for jose4j JwtConsumer -
i using jose4j validate , process jwt. jwt looks following , passes validation in jwt homepage.
however, can't same using jose4j java library. exception complains verification key set. there many types of keys defined in library , tried them no luck. code following:
import java.util.map; import org.jose4j.jwt.jwtclaims; import org.jose4j.jwt.consumer.invalidjwtexception; import org.jose4j.jwt.consumer.jwtconsumer; import org.jose4j.jwt.consumer.jwtconsumerbuilder; import org.jose4j.keys.hmackey; public class ygjwt { public static void main(string args[]) throws invalidjwtexception { string jwt = "eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9.eyjzdwiioiixmjm0nty3odkwiiwibmftzsi6ikpvag4grg9liiwiywrtaw4ionrydwv9.tjva95orm7e2cbab30rmhrhdcefxjoyzgefonfh7hgq"; string secret = "secret"; jwtconsumer jwtconsumer = new jwtconsumerbuilder() .setverificationkey(new hmackey(secret.getbytes())) //what kind of key need use here? .build(); jwtclaims jwtclaims = jwtconsumer.processtoclaims(jwt); map<string, object> claimsmap = jwtclaims.getclaimsmap(); claimsmap.foreach((string key, object val) -> { system.out.println(key + ": " + val.tostring()); }); } }
any appreciated.
i 'd guess you're getting exception this? org.jose4j.lang.invalidkeyexception: key of same size hash output (i.e. 256 bits hs256) or larger must used hmac sha algorithms key 48 bits
the hmackey
correct type hs256
key technically short according second paragraph of http://tools.ietf.org/html/rfc7518#section-3.2 has same text exception message.
you can work around building jwtconsumer
.setrelaxverificationkeyvalidation()
, allow shorter keys. looks (adding 1 line snippet example):
jwtconsumer jwtconsumer = new jwtconsumerbuilder() .setverificationkey(new hmackey(secret.getbytes())) .setrelaxverificationkeyvalidation() // allow shorter hmac keys when used w/ hsxxx algs .build();
in general though try , avoid use of short password key such "secret" , suggest using stronger key when possible.
Comments
Post a Comment