Auth Solution(3)JWT in Java and PHP Sample

Auth Solution(3)JWT in Java and PHP Sample

Here is my Example in JAVA which can generate the RSA 512 private key and public key.

In side the java example, we can use the private key to sign our content, time and etc to generate a token.

https://github.com/luohuazju/sillycat-authcenter

RSACoder class, when we run it, it will generate the private key and public key pair in strings as follow for example:

privateKey:MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALLl3YRnsI8ZMlBF9F/naLo7KjZP6VRwU+KtqDyRwHBUNn2PUhU1RaoODiLrWcFJ7awF6LzNZ3K5rfCrrt31LJ6pEgMt1g+09ShlFoycU9DGk2URBDc3ZWiGm3iR19UyFzpjVuGfbQvsr3rYfvpHKsnamk3WEu3ZGzm64bY905JtAgMBAAECgYAuF2UkOObXZ4F8Bxn4H5Hu8VFl3t7Z33rtWxqOSGsRRdEoNmXKiwgg0TA5NPPSBe8TNA6Lnkw51bcH2+PY0dMlu0CpsomEFOMZo016jf+rMmldXZiRccSdNrmMrSU1HXBQGgcIZ09BvGjV1Xcvukqu4hcw2Cx2tR1arfz8LhJMwQJBAN8qKn9Fnc1huDIR6U0043nWLioMTp/l0M+CyYPe69A7FuS+vyF83ZSYDh50bByPGpIpBimTP8/der0/M7RDshECQQDNOFLlEPGG61nn7Ah9KZzeDW/NsgOS7xb5iYYfm1Tlot2r0ZMe5Yl7+EePxV76GcOeKfJXC2TQIJgFU6NI+36dAkEAtrG6YL8JVN4vAS6QpFgr8c5ZtKqmo1hs/bTAbGjO/IWjVFij+DJU5BUnWd9NsoOk6QsUtGyLzQwwM0XOekEBQQJAYPWflMKwmsJPtBf82sXya6eFj3Xv4lg8TqH/UKefMPAGM8vM6uggUQY5KWBjQ18w4WWILkAf3YXIzZt6plzMsQJBAK3EmpqWbr6uzMUKG9NKdpPHpbjSFpY1IZ5pe9HBcJloEAdqJTx3uvdyLHYwBOfkZrpIA5glBjpgeEuOgJMOixE=

publicKey:MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCy5d2EZ7CPGTJQRfRf52i6Oyo2T+lUcFPirag8kcBwVDZ9j1IVNUWqDg4i61nBSe2sBei8zWdyua3wq67d9SyeqRIDLdYPtPUoZRaMnFPQxpNlEQQ3N2Vohpt4kdfVMhc6Y1bhn20L7K962H76RyrJ2ppN1hLt2Rs5uuG2PdOSbQIDAQAB

In my sample, copy the keys to the second class  JWTJavaWithPublicPrivateKey

Run the class JWTJavaWithPublicPrivateKey, it will use the private key to generate a token:
eyJhbGciOiJSUzUxMiJ9.eyJyb2xlIjoidXNlciIsImNyZWF0ZWQiOjE1NTY4MzgxNjUyNTksImlkIjoieWl5aWthbmciLCJlbWFpbCI6InlpeWlrYW5ncmFjaGVsQGdtYWlsLmNvbSJ9.lYFXMoaqK3BRSyvMdu7HqSv6RwkNNvW3cIhyQ3sL47RjKjo5P2exQ6X43SJXl0bexn4BqXRCcWwjk2vhk8WbfqIxj0nK01WODuU6LD8SmxJVx81pX3wPhZBlyDt8DaQ1Eh0nl50mvzc6nJP4cm6-Hlen_B3XSCH_kUHk60DL3vg

Actually, the content in the token is
yiyikang
user
1556838165259

These JAVA code can easily use public key to decode that contents from the token.

Image we have 2 separate servers,
  Auth Server will host the private key and sign the contents (username, email, profiles, expiration date and etc) to generate a token string and response back.
  Resource Server will host the public key and verify the token, #1, if this token is from Auth Server, expiration data passed? #2 get other contents if #1 pass

In this case, resource server do not need to talk to Auth Server to verify anything, once it has the public key, it can do the decode and verify.

Token and all these methods they are standard, so go to this website

https://jwt.io/

Paste the token in that window
eyJhbGciOiJSUzUxMiJ9.eyJyb2xlIjoidXNlciIsImNyZWF0ZWQiOjE1NTY4MzgxNjUyNTksImlkIjoieWl5aWthbmciLCJlbWFpbCI6InlpeWlrYW5ncmFjaGVsQGdtYWlsLmNvbSJ9.lYFXMoaqK3BRSyvMdu7HqSv6RwkNNvW3cIhyQ3sL47RjKjo5P2exQ6X43SJXl0bexn4BqXRCcWwjk2vhk8WbfqIxj0nK01WODuU6LD8SmxJVx81pX3wPhZBlyDt8DaQ1Eh0nl50mvzc6nJP4cm6-Hlen_B3XSCH_kUHk60DL3vg

Put our public key there in the window as well
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCy5d2EZ7CPGTJQRfRf52i6Oyo2T+lUcFPirag8kcBwVDZ9j1IVNUWqDg4i61nBSe2sBei8zWdyua3wq67d9SyeqRIDLdYPtPUoZRaMnFPQxpNlEQQ3N2Vohpt4kdfVMhc6Y1bhn20L7K962H76RyrJ2ppN1hLt2Rs5uuG2PdOSbQIDAQAB
-----END PUBLIC KEY-----

It will share with us, the Signature Verified and all the contents we have.

That is to say, our token is standard. Other codes/SDK/library can decode and verify as well.



There is a list of libraries in that website.

I only pick up a PHP as an example to verify. The example is  https://github.com/luohuazju/sillycat-jwtphp

I used to be a PHP developer, but I haven’t use that for some time. So first of all, check my PHP ENV.

> php --version
PHP 7.2.12 (cli) (built: Nov 17 2018 22:16:25) ( ZTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

Make sure I have composer if I am not in that directory
> curl -sS https://getcomposer.org/installer | php

In my project directory, install the PHP dependency
> php composer.phar install

Copy the token and public key in jwtphpdecodejava.php

Run this command
> php src/jwtphpdecodejava.php

The PHP code will use the token and public key to verify token and get the contents.

If we do not have the public key, we will only get
Fatal error: Uncaught Firebase\JWT\SignatureInvalidException: Signature verification failed in /Users/hluo/work/php/sillycat-jwtphp/vendor/firebase/php-jwt/src/JWT.php:112
Stack trace:
#0 /Users/hluo/work/php/sillycat-jwtphp/src/jwtphpdecodejava.php(18): Firebase\JWT\JWT::decode('eyJhbGciOiJSUzU...', '-----BEGIN PUBL...', Array)
#1 {main}
  thrown in /Users/hluo/work/php/sillycat-jwtphp/vendor/firebase/php-jwt/src/JWT.php on line 112

If the token is signed by other private key, we will get the same error as well.

In the PHP project, we have the examples to do the same thing as sillycat-authcenter does. So no matter which language, we can do the similar things.

The purpose is that resource server will not talk to auth server; no matter our Microservices are written in which language;

References:
https://jwt.io/
https://github.com/luohuazju/sillycat-jwtphp
https://github.com/luohuazju/sillycat-authcenter