- Notifications
You must be signed in to change notification settings - Fork941
Java implementation of JSON Web Token (JWT)
License
auth0/java-jwt
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
NoteAs part of our ongoing commitment to best security practices, we have rotated the signing keys used to sign previous releases of this SDK. As a result, new patch builds have been released using the new signing key. Please upgrade at your earliest convenience.
While this change won't affect most developers, if you have implemented a dependency signature validation step in your build process, you may notice a warning that past releases can't be verified. This is expected, and a result of the key rotation process. Updating to the latest version will resolve this for you.
📚Documentation - 🚀Getting Started - 💻API Reference 💬Feedback
- Examples - code samples for common java-jwt scenarios.
- Docs site - explore our docs site and learn more about Auth0.
This library is supported for Java LTS versions 8, 11, and 17. For issues on non-LTS versions above 8, consideration will be given on a case-by-case basis.
java-jwtis intended for server-side JVM applications. Android applications should useJWTDecode.Android.
java-jwt supports the following algorithms for both signing and verification:
| JWS | Algorithm | Description |
|---|---|---|
| HS256 | HMAC256 | HMAC with SHA-256 |
| HS384 | HMAC384 | HMAC with SHA-384 |
| HS512 | HMAC512 | HMAC with SHA-512 |
| RS256 | RSA256 | RSASSA-PKCS1-v1_5 with SHA-256 |
| RS384 | RSA384 | RSASSA-PKCS1-v1_5 with SHA-384 |
| RS512 | RSA512 | RSASSA-PKCS1-v1_5 with SHA-512 |
| ES256 | ECDSA256 | ECDSA with curve P-256 and SHA-256 |
| ES384 | ECDSA384 | ECDSA with curve P-384 and SHA-384 |
| ES512 | ECDSA512 | ECDSA with curve P-521 and SHA-512 |
Note - Support for ECDSA with curve secp256k1 and SHA-256 (ES256K) has been dropped since it has beendisabled in Java 15
⚠️ Important security note: JVM has a critical vulnerability for ECDSA Algorithms -CVE-2022-21449. Please review the details of the vulnerability and update your environment.
Add the dependency via Maven:
<dependency> <groupId>com.auth0</groupId> <artifactId>java-jwt</artifactId> <version>4.5.0</version></dependency>
or Gradle:
implementation'com.auth0:java-jwt:4.5.0'UseJWT.create(), configure the claims, and then callsign(algorithm) to sign the JWT.
The example below demonstrates this using theRS256 signing algorithm:
try {Algorithmalgorithm =Algorithm.RSA256(rsaPublicKey,rsaPrivateKey);Stringtoken =JWT.create() .withIssuer("auth0") .sign(algorithm);}catch (JWTCreationExceptionexception){// Invalid Signing configuration / Couldn't convert Claims.}
Create aJWTVerifier passing theAlgorithm, and specify any required claim values.
The following example usesRS256 to verify the JWT.
Stringtoken ="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE";DecodedJWTdecodedJWT;try {Algorithmalgorithm =Algorithm.RSA256(rsaPublicKey,rsaPrivateKey);JWTVerifierverifier =JWT.require(algorithm)// specify any specific claim validations .withIssuer("auth0")// reusable verifier instance .build();decodedJWT =verifier.verify(token);}catch (JWTVerificationExceptionexception){// Invalid signature/claims}
If the token has an invalid signature or the Claim requirement is not met, aJWTVerificationException will be thrown.
See theexamples andJavaDocs for additional documentation.
We appreciate feedback and contribution to this repo! Before you get started, please see the following:
- Auth0's general contribution guidelines
- Auth0's code of conduct guidelines
To provide feedback or report a bug,please raise an issue on our issue tracker.
Please do not report security vulnerabilities on the public Github issue tracker. TheResponsible Disclosure Program details the procedure for disclosing security issues.
Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkoutWhy Auth0?
This project is licensed under the MIT license. See the LICENSE file for more info.
About
Java implementation of JSON Web Token (JWT)
Topics
Resources
License
Contributing
Security policy
Uh oh!
There was an error while loading.Please reload this page.