Verify jwt token using Java atlassian-jwt-core

[Bhushan Nagaraj]

I posted the question on Answers but haven't received a response yet. So posting here.

How to verify the jwt token passed by the Atlassian application using atlassian-jwt?

I am able to extract the jwt token using com.atlassian.jwt.core.JwtUtil.extractJwt (HttpServletRequest). However, this is just the String representation of the Jwt token.

1. How do I extract JWT object from the URL using atlassian-jwt so I can access the Issuer, etc?
2. How do I verify the extracted jwt token?

Any help will be awesome. Thanks in advance.

Atlassian Answers link below

https://answers.atlassian.com/questions/9386880/how-to-verify-jwt-token-using-atlassian-jwt-core

[Yves Berquin]

Hello Bhushan,

There's a pretty good explanation here:

https://developer.atlassian.com/static/connect/docs/concepts/understanding-jwt.html

Yves

[Bhushan Nagaraj]

Thanks Yves. I have already looked at the documentation but I am looking for something more specific to the atlassian-jwt api and how I can use it to extract and verify the jwt.

Cheers

Bhushan

Skype: bhushan154

--
You received this message because you are subscribed to a topic in the Google Groups "Atlassian Connect Dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/atlassian-connect-dev/4wY3WtB--C4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to atlassian-connec...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bhushan Nagaraj]

For example, is there a method in the atlassian-jwt api that provides me a method that does the following and provides a Jwt object?

String jwtToken = ...;//e.g. extracted from the request

String[] base64EncodedSegments = jwtToken.split('.');

String base64EncodedHeader = base64EncodedSegments[0];

String base64EncodedClaims = base64EncodedSegments[1];

String signature = base64EncodedSegments[2];

String header = base64decode(base64EncodedHeader);

String claims = base64decode(base64EncodedClaims);

Cheers

Bhushan

Skype: bhushan154

On 05-Oct-2014, at 1:12 pm, Yves Berquin <yves.b...@gmail.com> wrote:

[Yves Berquin]

I couldn't figure out how to do this with the Atlassian lib either, I ended up using the nimbus-jose-jwt as described in the page I referred to.

The way the atlassian-jwt is structured is hardly understandable (to me).

Yves 

[Bhushan Nagaraj]

Well same here. lol hoping someone can let me know how to handle this using the atlassian-jwt lib. There is no documentation available anywhere on this.

Cheers

Bhushan

Skype: bhushan154

[Bhushan Nagaraj]

This is the cleanest way I could do it.

//Extract jwt token from HttpRequest using JwtUtil class found in atlassian-jwt-core
String jwtToken = JwtUtil.extractJwt(req)
//Use dependency 'com.nimbusds:nimbus-jose-jwt:2.22.1'
SignedJWT signedJWT = SignedJWT.parse(jwtToken);
//Extract issuer/client
String issuer = signedJWT.getJWTClaimsSet().getIssuer()
//Check if issuer/client exists in your app database
Client client = Client.findByClientKey(issuer)
if(client){                                                                       
    JWSVerifier verifier = new MACVerifier(client.sharedSecret.getBytes());                
    if(signedJWT.verify(verifier)){
        result = true
    }
    else{
        throw new Exception("JWT Verification Failed.")

[Dmitry Zagorovsky]

Hello Bhushan,

Take a look at https://bitbucket.org/atlassian/atlassian-connect-play-java

Best Regards,

Dmitry

[Patrick Streule]

Bhushan,

Take a look at the class that I used in an example add-on a while back:

https://bitbucket.org/pstreule/atlassian-connect-link-notifier/src/7cf46ffb097db55a3d24728e0a02ec2d57bad621/src/main/java/com/atlassian/connect/example/issuenotifier/auth/JwtAuthenticator.java?at=master

Regards,

Patrick