Extension::Json JWTVerify Method

Syntax

.JWTVerify as c (token as C, secret as C[,options as c])

Arguments

token

JWT Token

secret

Secret that token was hashed againstt.

options

Specify a Algorithm used to hash, or pass complext options.

Description

Verify a javascript web token, return json if valid, otherwise return an empty string.

Example

' First create a token	
dim token as c = extension::JSON::JWTSign(json_sanitize("{ fname : 'john' , lname : 'public'}"),"shhhh!")
? token
= "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmbmFtZSI6ImpvaG4iLCJsbmFtZSI6InB1YmxpYyIsImlhdCI6MTQ3Nzc3OTA2M30.xwGMV_POhwEoj-mH1PsgscL-uqOfBMLnNsD2SsOtqXE"

' Verify will return JSON packet if the supplied secret is valid
? extension::JSON::JWTVerify(token,"shhhh!")
= {"fname":"john","lname":"public","iat":1477779063}

' Pass it an incorrect secret - and verify will return a blank string
? extension::JSON::JWTVerify(token,"boo!")
= ""

 Using the optional parameter to specifiy alternate algorithms.

The default behaviour is to try the various hash schemas, you can specify the exact hash schemes using a comma separated list.

dim token as c = extension::JSON::JWTSign(json_sanitize("{ fname : 'john' , lname : 'public'}"),"shhhh!","HS512")
? token
= "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJmbmFtZSI6ImpvaG4iLCJsbmFtZSI6InB1YmxpYyIsImlhdCI6MTQ4MzczNTY1MH0.EBW04-jWCb405BUzbSuzoq19pWiAo6gLKhHfPic2WBClD6TKKqPzfttYtzTEPr45JoxTmK8oIcYKaVg5FZ4CAg"

' We are using a different hash
? extension::JSON::JWTVerify(token,"shhhh!","HS256")
= ""

' So include the hash we are using
? extension::JSON::JWTVerify(token,"shhhh!","HS512")
= {"fname":"john","lname":"public","iat":1483735650}

' Comma separated list of accepted hash encodings works as well.
? extension::JSON::JWTVerify(token,"shhhh!","HS256,HS512")
= {"fname":"john","lname":"public","iat":1483735650}

 More Complex Options

Just like the JWTSign method, JWTVerify can take complex options.

In the following example, we sign a token that expires in 30 seconds (this is from the JWTSign examples).

After the token has expired, the JWTVerify() default behaviour is to report the token is invalid, but there is an option 'ignoreexpiration' that allows us to decode the packet for expired tokens, this feature is useful for debugging to determine why verify failed.

dim optionsSign.algorithm as c = "HS512"
dim optionsSign.expiresin as n = 30
dim optionsjson as c  = json_generate(optionsSign)
? optionsjson
= {
	"algorithm": "HS512",
	"expiresin": 30
}

dim token as c = extension::JSON::JWTSign(json_sanitize("{ fname : 'john' , lname : 'public'}"),"shhhh!",optionsjson)
? token
= "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJmbmFtZSI6ImpvaG4iLCJsbmFtZSI6InB1YmxpYyIsImlhdCI6MTQ4Mzc0MDUzNCwiZXhwIjoxNDgzNzQwNTY0fQ.KMcq2PQWsu0ouqnaZRRAWFa73UOiWI09r4GkE6YWydqJEQYJxhPhkEoa2crLJvfcOxZV5JIN6RFXx0s0Mlk-sA"


? extension::JSON::JWTVerify(token,"shhhh!","HS512")
= {"fname":"john","lname":"public","iat":1483740534,"exp":1483740564}

' Wait for 30 seconds
? extension::JSON::JWTVerify(token,"shhhh!","HS512")
= ""

dim optionsVer.algorithms[1] as c = "HS512"
dim optionsVer.ignoreexpiration as l = .t.
dim optionsjson as c  = json_generate(optionsVer)
? optionsjson
= {
	"algorithms": [
		"HS512"	
],
	"ignoreexpiration": true
}

' Explicity ignore the expiration (can be used to determine if token is expired rather than using the wrong secret)
? extension::JSON::JWTVerify(token,"shhhh!",optionsjson)
= {"fname":"john","lname":"public","iat":1483740534,"exp":1483740564}

 Optional Fields

Field

Description

algorithms

Optional character array - specifies which algorithms allowed.

audience

Identifies the recipients that the JWT is intended for.

issuer

Identifies principal that issued the JWT.

ignoreexpiration

Decode the token even if it is expired.

ignorenotbefore

Decode the token even if it is not ready.

subject

Identifies the subject of the JWT.

clocktolerance

Number of seconds of error to tolerate on notbefore and expiration.