JWT Authentication using Auth0 Library







6488

We aggregate and tag open source projects. We have collections of more than one million projects. Check out the projects section.

Json Web Token shortly called as JWT becomes defacto standard for authenticating REST API. In a traditional web application, once the user login credentials are validated, loggedin user object will be stored in session. Till user logs out, session will remain and user can work on the web application without any issues. Rest world is stateless, it is difficult to identify whether the user is already authenticated. One way is to use authenticate every API but that would be too expensive task as the client has to provide credentials in every API. Another approach is to use token.

Token is nothing but an encrypted string, server has the secure key and using that it signs a user data and sends it to client. Once the user is authenticated, a token will be issued to the client. Client will be sending the token in subsequent API. Since server holds the key, it can only verify the signature.

Token mechanism exist before JWT and how JWT different from traditional way of generating token ?

JWT provides a standard mechanism to authenticate the user. In cloud environment, micro services are distributed across the cluster. Each service requires some mechanism to authenticate. JWT provides a standard. The JWT token has 3 parts,

Algortithm (header) User data (payload) Signature

We have used Auth0 library to generate and validate JWT token.

<dependency>

<groupId>com.auth0</groupId>

<artifactId>java-jwt</artifactId>

<version>3.4.0</version>

</dependency>

Below code helps to generate JWT token. Token generated will have a expiry of 1 hour. If it is used beyond 1 hour then server will reject the request.

public static void generateToken() {



try {



Algorithm algorithm = Algorithm.HMAC512("secret-key");



Calendar cal = Calendar.getInstance();

cal.add(Calendar.HOUR, 1);



String token = JWT.create()

.withSubject("secure-login")

.withClaim("Name", "Best open source")

.withClaim("Role", "Admin")

.withIssuer("App-1")

.withExpiresAt(cal.getTime())

.sign(algorithm);



System.out.println(token);

}

catch(Exception exp) {

System.out.println(exp.getMessage());

}

}

Now the token is generated. In Rest API, client will send the token as part of Authorization Header. Server will valiadate the token before processing the API.

Below code is helps to validate the token.

public static void verifyToken(String token) {



try {

Calendar cal = Calendar.getInstance();

cal.add(Calendar.HOUR, -1);



Algorithm algorithm = Algorithm.HMAC512("secret-key");



JWTVerifier verifier = JWT.require(algorithm)

.acceptExpiresAt(60)

.acceptNotBefore(cal.getTimeInMillis())

.build();



DecodedJWT decodedJwt = verifier.verify(token);

System.out.println(decodedJwt.getClaim("Name").asString());

}

catch(Exception exp) {

System.out.println(exp.getMessage());

}

}

JWT.io provides an user interface to validate the token.

References:

https://jwt.io/

https://github.com/auth0/java-jwt

https://www.findbestopensource.com/tagged/jwt-library