Java Generate Jwt Token Using Private Key

07.12.2020by

Oct 27, 2016 We had written small API using java-jwt 2.2.1. It works fine when i create a token and verify the token in Java code. Created RSA Private and Public keys. (Referred to one of the test case) Created a token using Algorithm.RS256 with the private key. Verified the same token and got output as expected. When the command completes, you are left with two files in the current directory, jwt-key and jwt-key.pub. The former is the private key, which will be used to generate token signature, so you should protect this very well. Jun 21, 2016 In this example, Section 1 is a header which describes the token. Section 2 is the payload, which contains the JWT’s claims, and Section 3 is the signature hash that can be used to verify the integrity of the token (if you have the secret key that was used to sign it).

25 Jul 2018MIT
This article is an introduction on how to use the JJWT library, key stores, private/public keys to encrypt and decrypt the JWT token.
  • Sep 09, 2017 A little NodeJS demo of making and verifing JavaScript Web Tokens (JWT) using RSA Public/Private Key Pairs Table of Contents: 00:00 - Introduction 00:44 - 1. Get a RSA public/private PEM pair 01.
  • This makes JWT a good choice to be passed in HTML and HTTP environments. Security-wise, SWT can only be symmetrically signed by a shared secret using the HMAC algorithm. However, JWT and SAML tokens can use a public/private key pair in the form of a X.509 certificate for signing.
  • Java-jwt with public/private keys. Ask Question Asked 3 years. Hi Predrag, I have the same requirement where I have to create a signed token with private key using java and verify the token with public key in node JS. I am struck with how to load the privatekey (private key.pem) file and create the signed token with RS256 algorithm.
  • Jun 10, 2019 JSON Web Tokens are becoming more and more common in single page applications and I'm also using them in multiple projects. But I also forget how to generate a new token (private and public keys). Which is a common task as you should have a different token in your development (optional test) and production environment.

Introduction

In this article, I will present a very simple tutorial on how to create a JWT token, how to encrypt the token, and how to decrypt the token. This article will be simple and fun. Although I am no subject expert, I will show the following:

  • How to create a Java keystore
  • How to extract public key out of the KeyStore file
  • How to create the JWT token
  • How to encrypt the JWT token using the private key in the keystore
  • How to decrypt the encrypted JWT token using the exported public key

You might ask, what would be the purpose of doing this? I have a personal project that will be implemented as a se of micro-services. One of the micro-services would be an authentication service. When a request comes into my micro-service ecosystem, the request will first be authenticated. User credential will be sent to the authentication and authorization service first, which can look up the user in database, and verify the credentials, then send back an encrypted JWT token that contains the user information. The service that is supposed to process the request will decrypt the JWT token and verify the user's authorization before the request can be handled. Windows 10 mac download free. The authorization check will see what roles the user has and whether the user roles are sufficient for the request to be handled.

In order to do all these, we need a pair of keys -- RSA private/public key pair. The authentication service uses the private key to encrypt the token. The service that handles user request needs to decrypt the token, which can use the public key to do this. In between, we need to find a way to create the JWT token unencrypted. All these will be explained in this article.

Create Java KeyStore

A Java KeyStore file is a repository of certificates (public key) and corresponding private keys. They can be used for SSL transportation. One example you might notice about the Java KeyStore file is that it can be used by J2EE application containers like Jetty, Glassfish, TomCat through some XML configuration. And you will have https enabled for these application containers.

For this tutorial, all we need to know is how to create one Java KeyStore file with just one RSA certificate and its corresponding private key. To create a new Java KeyStore file, here is the command:

What the above command does is to create a keystore with one RSA key in it. The alias of the key is called 'hanbotest'. The algorithm that is used to create the key is RSA. The size of the key is 2048 bits. And the default format of the KeyStore is JKS.

Once you type in the command, hit enter, it will prompt you for the following information:

  1. The password for the keystore, I use '123test321'.
  2. Again for the same password.
  3. First name and last name, I entered 'Han Bo'.
  4. Name of the organization unit, I entered 'Hanbo Enterprise'.
  5. Name of the organization, I entered 'Hanbo Enterprise' again.
  6. Name of the city, I entered 'Chicago'.
  7. Name of the state or province, I entered 'IL'.
  8. Two characters of the country, I entered 'US'.
  9. Last one is just '[no]', I type in 'yes' and hit enter.
  10. The last last thing is the password of the certificate and private key. I keep it the same as the password of the keystore. Just hit enter.
  11. Look into the destination directory, you will see the KeyStore file.

Don't worry about the information you entered. This is a mock certificate and used for testing only. And I have included this mock KeyStore as part of the sample source code. Once you got it, you can swap out with your own KeyStore file and play with the source code.

Export the Public Key/Certificate

Now that you have a KeyStore file. The next step is to export the public key as a separated entity. Private key is something to be protected, and public key can be shared to other parties. To extract public key, here is the command:

What this command does is specify the jks file, the alias of the key, and the output file which is called 'hanbotest.cer'. When it is typed in, and hit enter, it will prompt for password. Enter password '123test321'. The cer file will be created successfully.

Now they can be used for the JWT token encryption and decryption.

Encrypting and Decrypting JWT Token

I wrote a simple Java console app that demonstrates the encryption of the JWT token using the private key. It will be a string once encrypted. Then I take the string, and use the public key to decrypt the encrypted token.

The POM File

Since this is a simple Java console program, the POM file is pretty straight forward. The most important part is the dependencies. Here they are:

The version of the jackson libraries is 2.7.3. And I defined it in a separated section in the same pom file, like this:

One more thing about this, in the official JJWT library tutorial, it said there is no need to include any other dependencies. This is not true. I had to include the three jackson jar files. or the application will not work.

Using

The Main Program

The main program is super simple. It is one class, with a main entry, and a static helper method. All it does is create the JWT token, encrypt, then decrypt. The purpose is to demonstrate how JWT token is created and protected.

Create Jwt Token With Private Key

I use the JJWT library. And it is very easy to create the JWT token. Here is the code:

There are two things that you must be aware of:

  • setExpiration() should set a Date object that is later than the Date object for the setIssuedAt().
  • signWith() uses the private key to sign the JWT token. This is where we should use the private key.

The question is, how do we load the private key. Turned out, this is not hard to do:

The first line defines the string that represents the password. The second line gets a KeyStore instance, and I specify the type used is the default type. There are many different types of JKS which you can use. Besides the default type which Java supports out of box, there is also the PKCS12 format, and many others. In this case, I am just using the default type. The third line loads the KeyStore from the JKS file. In order to load, one must supply the password associated with the JKS file. The last line extracts the private key out of the KeyStore object. The object named 'key' is the private key used by the signWith() in previous code sample.

If you run the program with just these two pieces of code, you will see something like the following output:

Java Generate Jwt Token Using Private Key File

The string contains three encrypted sections. They are separated by two '.'. The sections are token header, body, and signature. The last part can be used to verify that the JWT token is generated by a legitimate private key.

The next part of the program is to decrypt the string back into a JWT token object. This is done using the public key. In order to do this, first we need to load the public key. This is the only hard part of this tutorial. I wrote a very simple helper method:

This helper method takes a full file path to the cer file I just created, and return an object of PublicKey. The method has 4 lines:

  1. First, create a CertificateFactory object. The type of the certificate is specified by a string. This is probably the hardest of all. The type is actually 'X.509'.
  2. The next line takes a FileInputStream of the actual cer file and use the CertificateFile object to create a Certificate object.
  3. The third line extracts the PublicKey object out of the Certificate object.
  4. The last line returns the PublicKey object back to the caller.

Once a PublicKey object is available, we can take the encrypted string and use JJWT libraries to attempt decoding it. Here is how it is done:

There are only two lines in this. The first one uses the helper method to get the public key from the cer file. The second one uses the JJWT library methods to decrypt the JWT token. The returning object is of type Jws<Claims>. compactJws is the string that holds the encrypted JWT token.

Once the token is decrypted, there will be three different parts.

  • JWT token's header
  • JWT token's body - this is where the user credentials are stored
  • JWT token signature

If a token can be decrypted correctly, then all we care about is the body portion of the token. Here is how I output and see if it is decrypted correctly:

The output of the id, the audience and the subject are the same as the input value I have used when I created the JWT token.

Points of Interest

As promised, I have kept this article short and easy, simple and fun. All I have done in this article are:

  • Create a JKS KeyStore with just one RSA key.
  • Export the public certificate from the JKS KeyStore file out as a cer file.
  • A sample program that creates a JWT token, use the private key to encrypt it and use the public key (the exported certificate) to decrypt the token.

It is not very much, but it can be extended and incorporated into a real-world web application, where a service will be dedicated to do authentication and creating the JWT tokens, while other services can consume and verify the JWT token. It just made development of web based application a lot more fun.

History

  • 07/21/2018 - Initial draft
Nba 2k13 Cd Key Generator Mac
Generate Public Private Key Pair Python
Comments are closed.