If we try to parse an expired JWT, results in expired exception.
Is there a way to read claims even the JWT was expired.
Below is used to parse JWT in java:
Jwts.parser().setSigningKey(secret.getBytes()).parseClaimsJws(token).getBody();
Asked
Active
Viewed 2.0k times
25
user2340612
- 10,053
- 4
- 41
- 66
Sivaprakash
- 295
- 1
- 3
- 9
6 Answers
50
There is a better approach to do this. if you see JWT Exception handler object e.g. ExpiredJwtException, expection object itself contains the following:- header, claims and message
so claims can easily extracted through this object i.e. e.getClaims().getId() where e is ExpiredJwtException object.
ExpiredJwtException consturct is as follow:-
public ExpiredJwtException(Header header, Claims claims, String message) {
super(header, claims, message);
}
Example:-
try{
// executable code
}catch(ExpiredJwtException e){
System.out.println("token expired for id : " + e.getClaims().getId());
}
Gautam Gupta
- 525
- 1
- 4
- 5
22
JWT objects are Base64URL encoded. This means that you can always read headers and payload by manually Base64URL-decoding it. In this case you will simply ignore exp attribute.
For instance you can do like this (I'm using Java8 built-in Base64 class, but you can use any external library, such as Apache Commons Codec):
Base64.Decoder decoder = Base64.getUrlDecoder();
String src = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImV4cCI6IjEzMDA4MTkzODAifQ.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.2GpoV9q_uguSg0Ku6peI5aZ2qBxO5qOA42zaS25gq_c";
String[] parts = src.split("\\."); // Splitting header, payload and signature
System.out.println("Headers: "+new String(decoder.decode(parts[0]))); // Header
System.out.println("Payload: "+new String(decoder.decode(parts[1]))); // Payload
and the output is:
Headers: {"alg":"HS256","typ":"JWT","exp":"1300819380"}
Payload: {"sub":"1234567890","name":"John Doe","admin":true}
Please note also that the exp attribute is set to 1300819380, which corresponds to 16 january 2016.
user2340612
- 10,053
- 4
- 41
- 66
7
this might be old but for anyone whose facing this issue, the java's io.jsonwebtoken
ExpiredJwtException already got the claims in it, you can get it by calling e.getClaims().
Omar Ajmi
- 180
- 1
- 13
-
1The "the Java's" you speak of here is probably the JJWT library. – Gimby Nov 04 '19 at 15:28
-
2You're re-stating what @Gautam wrote two years prior... – Jan Nielsen Oct 14 '20 at 21:49
4
If you use io.jsonwebtoken you try my function:
public Claims getClaimsFromToken(String token) {
try {
// Get Claims from valid token
return Jwts.parser()
.setSigningKey(SECRET)
.parseClaimsJws(token)
.getBody();
} catch (ExpiredJwtException e) {
// Get Claims from expired token
return e.getClaims();
}
}
Alwin
- 786
- 9
- 19
0
If Someone comes in looking for jose4j library then below works:
invalidJwtException.getJwtContext().getJwtClaims()
0
Just set the ValidateLifetime property of the TokenValidationParameters to false before calling ValidateToken.
TokenValidationParameters tokenValidationParameters = new TokenValidationParameters();
tokenValidationParameters.ValidateLifetime = false;
JwtSecurityTokenHandler jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
ClaimsPrincipal principal = jwtSecurityTokenHandler.ValidateToken(token, tokenValidationParameters, out SecurityToken validatedToken);
Then you can read the claims like this:
string name = principal.Claims.FirstOrDefault(e => e.Type.Equals(ClaimTypes.Name)).Value;
string email = principal.Claims.FirstOrDefault(e => e.Type.Equals(ClaimTypes.Email)).Value;
Cogitator
- 154
- 1
- 1