2

I have to create my token with JWT but I don't know to do it.

rtruszk
  • 3,902
  • 13
  • 36
  • 53
Franco Cerati
  • 21
  • 1
  • 2
  • 3
  • Please include [what you have tried](http://mattgemmell.com/what-have-you-tried/) in your post. – milo526 Apr 21 '15 at 20:17
  • I'm using this (http://jwt.io/) but I couldn't find some information about creating the token. So, I don't know if this library allow me to create the token or if I need to use another library. So I haven't tried anything because I don't know to begin to do. Can someone help me or guide me in this problem? Thanks – Franco Cerati Apr 22 '15 at 12:22

3 Answers3

4

You have to use a library for that. I personally use nimbus-jose-jwt. This is an example from their page using HS256 for sign the JWT:

// Generate random 256-bit (32-byte) shared secret
SecureRandom random = new SecureRandom();
byte[] sharedSecret = new byte[32];
random.nextBytes(sharedSecret);

// Create HMAC signer
JWSSigner signer = new MACSigner(sharedSecret);

// Prepare JWT with claims set
JWTClaimsSet claimsSet = new JWTClaimsSet();
claimsSet.setSubject("alice");
claimsSet.setIssuer("https://c2id.com");
claimsSet.setExpirationTime(new Date(new Date().getTime() + 60 * 1000));

SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), claimsSet);

// Apply the HMAC protection
signedJWT.sign(signer);

// Serialize to compact form, produces something like
// eyJhbGciOiJIUzI1NiJ9.SGVsbG8sIHdvcmxkIQ.onO9Ihudz3WkiauDO2Uhyuz0Y18UASXlSc1eS0NkWyA
String s = signedJWT.serialize();

You can also use jose4j. An example from their page using RSA for sign the JWT (public + secret key): // Generate an RSA key pair, which will be used for signing and verification of the JWT, wrapped in a JWK RsaJsonWebKey rsaJsonWebKey = RsaJwkGenerator.generateJwk(2048);

// Give the JWK a Key ID (kid), which is just the polite thing to do
rsaJsonWebKey.setKeyId("k1");

// Create the Claims, which will be the content of the JWT
JwtClaims claims = new JwtClaims();
claims.setIssuer("Issuer");  // who creates the token and signs it
claims.setAudience("Audience"); // to whom the token is intended to be sent
claims.setExpirationTimeMinutesInTheFuture(10); // time when the token will expire (10 minutes from now)
claims.setGeneratedJwtId(); // a unique identifier for the token
claims.setIssuedAtToNow();  // when the token was issued/created (now)
claims.setNotBeforeMinutesInThePast(2); // time before which the token is not yet valid (2 minutes ago)
claims.setSubject("subject"); // the subject/principal is whom the token is about
claims.setClaim("email","mail@example.com"); // additional claims/attributes about the subject can be added
List<String> groups = Arrays.asList("group-one", "other-group", "group-three");
claims.setStringListClaim("groups", groups); // multi-valued claims work too and will end up as a JSON array

// A JWT is a JWS and/or a JWE with JSON claims as the payload.
// In this example it is a JWS so we create a JsonWebSignature object.
JsonWebSignature jws = new JsonWebSignature();

// The payload of the JWS is JSON content of the JWT Claims
jws.setPayload(claims.toJson());

// The JWT is signed using the private key
jws.setKey(rsaJsonWebKey.getPrivateKey());

// Set the Key ID (kid) header because it's just the polite thing to do.
// We only have one key in this example but a using a Key ID helps
// facilitate a smooth key rollover process
jws.setKeyIdHeaderValue(rsaJsonWebKey.getKeyId());

// Set the signature algorithm on the JWT/JWS that will integrity protect the claims
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);

// Sign the JWS and produce the compact serialization or the complete JWT/JWS
// representation, which is a string consisting of three dot ('.') separated
// base64url-encoded parts in the form Header.Payload.Signature
// If you wanted to encrypt it, you can simply set this jwt as the payload
// of a JsonWebEncryption object and set the cty (Content Type) header to "jwt".
String jwt = jws.getCompactSerialization();

In the question that Erik Gillespie indicates are more options. The jwt.io page allows you to paste the generated token and see his payload. Also, if you put your secret key it would say if the integrity of the token.

gabrielgiussi
  • 9,245
  • 7
  • 41
  • 71
1

Try using solution mentioned in below url:
https://dev.to/keysh/spring-security-with-jwt-3j76

Sahil Bhalla
  • 175
  • 1
  • 4
0

You can use following method:

public String jwtToken(String name) {
    long nowMillis = System.currentTimeMillis();
    Date now = new Date(nowMillis);

    Date expireDate = new Date(nowMillis);  

    Key key = MacProvider.generateKey();

    String compactJws = Jwts.builder()

           .setSubject(name)
            .setAudience("users")
           .setIssuedAt(now)
            .setExpiration(expireDate)
            .signWith(SignatureAlgorithm.HS512, key)
            .signWith(S)
            .compact();


    return compactJws;
}
smottt
  • 3,272
  • 11
  • 37
  • 44
Mauran
  • 141
  • 1
  • 8