Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version 3

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
This page is under construction

With Identity Server 5.1.0 release we  provide signed ID Token to address some security vulnerabilities  in a production environment.

Unsigned ID token contains only 2 portions separated by "."

<header>.<body>

 Sample

 eyJhbGciOiJSUzI1NiJ9.

...

eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0 

 Signed ID token contains 3 portions separated by "."

<header>.<body>.<signature>

 Sample

 eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0.iTf0eDBF-6-OlJwBNxCK3nqTUjwC71-KpqXVr21tlIQq4_ncoPODQxuxfzIEwl3Ko_Mkt030zJs-d36J4UCxVSU21hlMOscNbuVIgdnyWhVYzh_-v2SZGfye9GxAhKOWL-_xoZQCRF9fZ1j3dWleRqIcPBFHVeFseD_64PNemyg

 If you want to see exact json values, you can do Base64 decode for <header>.<body>

This is a simple java program to validate ID token signature against default wso2carbon.jks public key in WSO2 products.

Code Block
themeEclipse
languagejava
linenumberstrue
package org.sample;

...



import java.io.InputStream;

...


import java.security.KeyStore;

...


import java.security.cert.Certificate;

...


import java.security.interfaces.RSAPublicKey;

...



import com.nimbusds.jose.JWSVerifier;

...


import com.nimbusds.jose.crypto.RSASSAVerifier;

...


import com.nimbusds.jwt.SignedJWT;

...



public class ValidateRSASignature

...

 {

    public static void main(String[] args) throws Exception

...

 {
        RSAPublicKey publicKey = null;
        InputStream file = ClassLoader
                .getSystemResourceAsStream("wso2carbon.jks");

...


        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());

...


        keystore.load(file, "wso2carbon".toCharArray());

...



        String alias = "wso2carbon";

...



        // Get certificate of public

...

 key
        Certificate cert = keystore.getCertificate(alias);

...


        // Get public

...

 key
        publicKey = (RSAPublicKey) cert.getPublicKey();

...



        // Enter JWT String

...

 here
        String signedJWTAsString = "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0d";

...



        SignedJWT signedJWT = SignedJWT.parse(signedJWTAsString);

...



        JWSVerifier verifier = new RSASSAVerifier(publicKey);

...



        if (signedJWT.verify(verifier))

...

 {
            System.out.println("Signature is Valid");

...


        } else {
            System.out.println("Signature is NOT Valid");

...


        }
    }
}