Read the payload written by withPayload

[bmaehr]

Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Hello,

When buliding a JWT you can set a payload with JWT.create().withPayload(payload).

But when decoding the JWT you don't have access to this payload. You are just able to get the payload Base64 encoded.

Describe the ideal solution

Maybe give access to JWTDecoder.payloadJson. The problem is the incosistent design of the methods.

Alternatives and current workarounds

No response

Additional context

No response

[marktech0813]

Hi, Can I handle this issue?

[marktech0813]

Please check PR.
thanks.

[tanya732]

Hi @bmaehr

Thank you for raising the issue!!

This does add convenience, but we want to be careful here. Exposing decoded header or payload JSON directly may encourage consumers to rely on unverified JWT data, since decoding does not imply signature verification. While the data is already accessible today, adding a dedicated API makes this usage more prominent.

Could you share the concrete use case you’re trying to solve with this change? That context will help us decide whether this belongs in the core API and, if so, how we should document or name it to avoid accidental misuse.

Thank you

[bmaehr]

When creating the JWT I can do something like this:

            String payloadValue = null;
            try {
                payloadValue = objectMapper.writeValueAsString(payload);
            } catch (final JsonProcessingException ex) {
                throw new TechnicalException("Serializing payload value '{}' to json has failed.", payload.toString(), ex);
            }
            builder.withPayload(payloadValue);

On the other hand I would like to do while decoding

            final DecodedJWT decodedJWT = decodedJWT(jwtToken, publicKey, keyType);
            final String payloadBase64 = decodedJWT.getPayload();
            final String payload = new String(Base64.getUrlDecoder().decode(payloadBase64), StandardCharsets.UTF_8);
            return objectMapper.readValue(payload , payloadClass);