Validating JWT

phoenix.fire has asked for the wisdom of the Perl Monks concerning the following question:

Hello, I have generated a JWT and want to validate the JWT against a public key. I'm using the functions offered by Crypt::JWT (https://github.com/DCIT/perl-Crypt-JWT) and can encode and decode the JWT. Are there any libraries that I can use to validate the JWT against the public key. I need to make sure the JWT corresponds to a particular public key. Regards, Misha

Comment on Validating JWT

Replies are listed 'Best First'.
Re: Validating JWT by jimpudar (Pilgrim) on Apr 06, 2018 at 21:56 UTC
Hi pheonix, Unless I'm mistaken, if you have used a private key to sign the token, the decode_token function will fail if you use the wrong public key. It might help if you could post the code which you have written so we can see how you are encoding and decoding the tokens. Heres a quick test I ran which shows that if you are using the 'RS256' algorithm the decoding will fail without the correct key: #! /usr/bin/env perl use strict; use warnings; use autodie; use Test::More; use Data::Dumper; use File::Slurp; use Crypt::JWT qw(encode_jwt decode_jwt); my $private_key = read_file('throwaway.pem'); my $public_key = read_file('throwaway.pem.pub'); my $wrong_public_key = read_file('fake_key.pem.pub'); my $payload = { just => 'another', perl => 'hacker' }; my $token = encode_jwt( payload => $payload, key => \$private_key, alg => 'RS256' ); ok( decode_jwt( token => $token, key => \$public_key ) ); ok( decode_jwt( token => $token, key => \$wrong_public_key )); done_testing(); $ ./test_jwt.pl ok 1 JWS: decode failed at ./test_jwt.pl line 26. # Tests were run but no plan was declared and done_testing() was not s +een. # Looks like your test exited with 255 just after 1. [download] Hope this helps, Jim	[reply] [d/l]

Replies are listed 'Best First'.

Re: Validating JWT
by jimpudar (Pilgrim) on Apr 06, 2018 at 21:56 UTC

Hi pheonix,

Unless I'm mistaken, if you have used a private key to sign the token, the decode_token function will fail if you use the wrong public key.

It might help if you could post the code which you have written so we can see how you are encoding and decoding the tokens.

Heres a quick test I ran which shows that if you are using the 'RS256' algorithm the decoding will fail without the correct key:

#! /usr/bin/env perl

use strict;
use warnings;
use autodie;
use Test::More;
use Data::Dumper;
use File::Slurp;

use Crypt::JWT qw(encode_jwt decode_jwt);

my $private_key      = read_file('throwaway.pem');
my $public_key       = read_file('throwaway.pem.pub');
my $wrong_public_key = read_file('fake_key.pem.pub');

my $payload = { just => 'another', perl => 'hacker' };

my $token = encode_jwt(
    payload => $payload,
    key     => \$private_key,
    alg     => 'RS256'
);

ok( decode_jwt( token => $token, key => \$public_key ) );

ok( decode_jwt( token => $token, key => \$wrong_public_key ));

done_testing();



$ ./test_jwt.pl
ok 1
JWS: decode failed at ./test_jwt.pl line 26.
# Tests were run but no plan was declared and done_testing() was not s
+een.
# Looks like your test exited with 255 just after 1.
[download]

Hope this helps,

Jim

[reply]
[d/l]