verify jwt obtained from cloudfoundry cf client

Question

I would like to understand better how uaa client token verification works with cloud foundry.

After logging in with the cloud foundry cf tool, I have obtained a signed token from using

cf oauth-token

As I understand this token has been signed by cf client and contains the original access token that it has received from the uaa after I have logged in.

Now I can decode this token with any online jwt parser (the token is not sensitive information, since the cf tool is only targeted at my local bosh-lite installation). Yet how do I validate that the token is correct? This is usually a task that the cloud controller would then do, correct?

I have tried using the JJWT java library as follows:

Jwts.parser().setSigningKey("").parseClaimsJws(token).getBody();

Yet it complains about the empty signing key. What is the signing key that the cf client is using? Is is the client secret registered with the UAA?

Any clarification is highly appreciated.

score 4 · Accepted Answer · answered Jan 27 '16 at 23:32

My current understanding is that the CF CLI just saves the encoded and signed token generated by UAA. This token is signed with the UAA private key, and can only be verified with the corresponding UAA's public verification key.

In order for you to verify that token, you have two options:

1) Use the UAA endpoint (/check_token) that verifies a given token for you, in this approach You don't need the UAA's verification key.

see https://github.com/cloudfoundry/uaa/blob/master/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/RemoteTokenServices.java

2) Retrieve the UAA public verification key (/token_key), and write some code to verify the jwt signature.

see https://github.com/cloudfoundry-incubator/routing-api/blob/master/authentication/token_validator.go

Based on the approach you take, you can then mimic the corresponding implementation using JS.

I hope that helps.

good to know about the check_token endpoint. This is very helpful. — user152468, Jan 28 '16 at 09:52
One of the solutions if using jjwt ,can process and get claims `https://github.com/jwtk/jjwt/issues/280` — 89n3ur0n, May 23 '20 at 15:00

score 2 · Answer 2 · answered Jan 27 '16 at 19:25

All you need is the verification key (assuming you actually do want to verify the token signature)

Here is how the goes 1. You can parse the JWT token without any keys, and without keys it shouldn't validate the signature 2. If you wish to validate the signature, provide a verification key

Verification key is found under uaa./token_keys

https://uaa.run.pivotal.io/token_keys

verify jwt obtained from cloudfoundry cf client

2 Answers2