Generate Jwt Token Using Public Key

admin

Create JSON Web Tokens signed with your private key to authorize API requests.

Dec 17, 2019  You can create a custom token with the Firebase Admin SDK, or you can use a third-party JWT library if your server is written in a language which Firebase does not natively support. Before you begin. Custom tokens are signed JWTs where the private key used for. Jan 29, 2020 One of Red Hat SSO’s strongest features is that we can access Keycloak directly in many ways, whether through a simple HTML login form, or an API call. In the following scenario, we will generate a JWT token and then validate it. Everything will be done using API calls, so Keycloak’s UI is not exposed to the public directly. Set up a user.

Overview

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a way to securely transmit information. The App Store Connect API requires JWTs to authorize each API request. You create the token, signing it with the private key you downloaded from App Store Connect.

To generate a signed JWT:

  1. Create the JWT header.

  2. Create the JWT payload.

  3. Sign the JWT.

Include the signed JWT in the authorization header of each App Store Connect API request.

Create the JWT Header

To create a JWT to communicate with the App Store Connect API, use the following fields and values in the header:

To get your key ID, copy it from App Store Connect by logging in to App Store Connect, then:

  1. Select Users and Access, then select the API Keys tab.

  2. The key IDs appear in a column under the Active heading. Hover the cursor next to a key ID to display the Copy Key ID link.

  3. Click Copy Key ID. /guild-wars-trilogy-cd-key-generator.html.

If you have more than one API key, use the key ID of the same private key that you use to sign the JWT.

Here's an example of a JWT header:

Create the JWT Payload

The JWT payload contains information specific to the App Store Connect APIs, such as issuer ID and expiration time. Use the following fields and values in the JWT payload:

To get your issuer ID, log in to App Store Connect and:

  1. Select Users and Access, then Select the API Keys tab.

  2. The issuer ID appears near the top of the page. To copy the issuer ID, click Copy next to the ID.

Here's an example of a JWT payload:

Sign the JWT

Use the private key associated with the key ID you specified in the header to sign the token.

Regardless of the programming language you're using with the App Store Connect API, there are a variety of open source libraries available online for creating and signing JWT tokens. See JWT.io for more information.

Tip

You do not need to generate a new token for every API request. To get better performance from the App Store Connect API, reuse the same signed token for up to 20 minutes.

Include the JWT in the Request's Authorization Header

Once you have a complete and signed token, provide the token in the request's authorization header as a bearer token.

The following example shows a curl command using a bearer token. Replace the text '[signed token]' with the value of the signed token itself.

See Also

Creating API Keys for App Store Connect API

Create API keys used to sign JWTs and authorize API requests.

Revoking API Keys
25 Jul 2018MIT
This article is an introduction on how to use the JJWT library, key stores, private/public keys to encrypt and decrypt the JWT token.

Introduction

In this article, I will present a very simple tutorial on how to create a JWT token, how to encrypt the token, and how to decrypt the token. This article will be simple and fun. Although I am no subject expert, I will show the following:

  • How to create a Java keystore
  • How to extract public key out of the KeyStore file
  • How to create the JWT token
  • How to encrypt the JWT token using the private key in the keystore
  • How to decrypt the encrypted JWT token using the exported public key

You might ask, what would be the purpose of doing this? I have a personal project that will be implemented as a se of micro-services. One of the micro-services would be an authentication service. When a request comes into my micro-service ecosystem, the request will first be authenticated. User credential will be sent to the authentication and authorization service first, which can look up the user in database, and verify the credentials, then send back an encrypted JWT token that contains the user information. The service that is supposed to process the request will decrypt the JWT token and verify the user's authorization before the request can be handled. The authorization check will see what roles the user has and whether the user roles are sufficient for the request to be handled.

In order to do all these, we need a pair of keys -- RSA private/public key pair. The authentication service uses the private key to encrypt the token. The service that handles user request needs to decrypt the token, which can use the public key to do this. In between, we need to find a way to create the JWT token unencrypted. All these will be explained in this article.

Create Java KeyStore

A Java KeyStore file is a repository of certificates (public key) and corresponding private keys. They can be used for SSL transportation. One example you might notice about the Java KeyStore file is that it can be used by J2EE application containers like Jetty, Glassfish, TomCat through some XML configuration. And you will have https enabled for these application containers.

For this tutorial, all we need to know is how to create one Java KeyStore file with just one RSA certificate and its corresponding private key. To create a new Java KeyStore file, here is the command:

What the above command does is to create a keystore with one RSA key in it. The alias of the key is called 'hanbotest'. The algorithm that is used to create the key is RSA. The size of the key is 2048 bits. And the default format of the KeyStore is JKS.

Once you type in the command, hit enter, it will prompt you for the following information:

  1. The password for the keystore, I use '123test321'.
  2. Again for the same password.
  3. First name and last name, I entered 'Han Bo'.
  4. Name of the organization unit, I entered 'Hanbo Enterprise'.
  5. Name of the organization, I entered 'Hanbo Enterprise' again.
  6. Name of the city, I entered 'Chicago'.
  7. Name of the state or province, I entered 'IL'.
  8. Two characters of the country, I entered 'US'.
  9. Last one is just '[no]', I type in 'yes' and hit enter.
  10. The last last thing is the password of the certificate and private key. I keep it the same as the password of the keystore. Just hit enter.
  11. Look into the destination directory, you will see the KeyStore file.

Don't worry about the information you entered. This is a mock certificate and used for testing only. And I have included this mock KeyStore as part of the sample source code. Once you got it, you can swap out with your own KeyStore file and play with the source code.

Export the Public Key/Certificate

Now that you have a KeyStore file. The next step is to export the public key as a separated entity. Private key is something to be protected, and public key can be shared to other parties. To extract public key, here is the command:

What this command does is specify the jks file, the alias of the key, and the output file which is called 'hanbotest.cer'. When it is typed in, and hit enter, it will prompt for password. Enter password '123test321'. The cer file will be created successfully.

Now they can be used for the JWT token encryption and decryption.

Encrypting and Decrypting JWT Token

I wrote a simple Java console app that demonstrates the encryption of the JWT token using the private key. It will be a string once encrypted. Then I take the string, and use the public key to decrypt the encrypted token.

The POM File

Since this is a simple Java console program, the POM file is pretty straight forward. The most important part is the dependencies. Here they are:

The version of the jackson libraries is 2.7.3. And I defined it in a separated section in the same pom file, like this:

One more thing about this, in the official JJWT library tutorial, it said there is no need to include any other dependencies. This is not true. I had to include the three jackson jar files. or the application will not work.

The Main Program

The main program is super simple. It is one class, with a main entry, and a static helper method. All it does is create the JWT token, encrypt, then decrypt. The purpose is to demonstrate how JWT token is created and protected.

I use the JJWT library. And it is very easy to create the JWT token. Here is the code:

There are two things that you must be aware of:

  • setExpiration() should set a Date object that is later than the Date object for the setIssuedAt().
  • signWith() uses the private key to sign the JWT token. This is where we should use the private key.

The question is, how do we load the private key. Turned out, this is not hard to do:

The first line defines the string that represents the password. The second line gets a KeyStore instance, and I specify the type used is the default type. There are many different types of JKS which you can use. Besides the default type which Java supports out of box, there is also the PKCS12 format, and many others. In this case, I am just using the default type. The third line loads the KeyStore from the JKS file. In order to load, one must supply the password associated with the JKS file. The last line extracts the private key out of the KeyStore object. The object named 'key' is the private key used by the signWith() in previous code sample.

If you run the program with just these two pieces of code, you will see something like the following output:

The string contains three encrypted sections. They are separated by two '.'. The sections are token header, body, and signature. The last part can be used to verify that the JWT token is generated by a legitimate private key.

How To Generate Jwt Token

The next part of the program is to decrypt the string back into a JWT token object. This is done using the public key. In order to do this, first we need to load the public key. This is the only hard part of this tutorial. I wrote a very simple helper method:

C# Generate Jwt Token

This helper method takes a full file path to the cer file I just created, and return an object of PublicKey. The method has 4 lines:

  1. First, create a CertificateFactory object. The type of the certificate is specified by a string. This is probably the hardest of all. The type is actually 'X.509'.
  2. The next line takes a FileInputStream of the actual cer file and use the CertificateFile object to create a Certificate object.
  3. The third line extracts the PublicKey object out of the Certificate object.
  4. The last line returns the PublicKey object back to the caller.

Once a PublicKey object is available, we can take the encrypted string and use JJWT libraries to attempt decoding it. Here is how it is done:

There are only two lines in this. The first one uses the helper method to get the public key from the cer file. The second one uses the JJWT library methods to decrypt the JWT token. The returning object is of type Jws<Claims>. compactJws is the string that holds the encrypted JWT token.

Once the token is decrypted, there will be three different parts.

  • JWT token's header
  • JWT token's body - this is where the user credentials are stored
  • JWT token signature

If a token can be decrypted correctly, then all we care about is the body portion of the token. Here is how I output and see if it is decrypted correctly:

The output of the id, the audience and the subject are the same as the input value I have used when I created the JWT token.

Points of Interest

As promised, I have kept this article short and easy, simple and fun. All I have done in this article are:

  • Create a JKS KeyStore with just one RSA key.
  • Export the public certificate from the JKS KeyStore file out as a cer file.
  • A sample program that creates a JWT token, use the private key to encrypt it and use the public key (the exported certificate) to decrypt the token.

It is not very much, but it can be extended and incorporated into a real-world web application, where a service will be dedicated to do authentication and creating the JWT tokens, while other services can consume and verify the JWT token. It just made development of web based application a lot more fun.

Generate Jwt Token With Private Key C#

History

Jwt Token Creator

  • 07/21/2018 - Initial draft

Jwt With Public Key