Parse JWT-Token (Access/IDToken) to TJwtContent

tfopc · 2025-07-09 11:14:22

Hi,

somebody know how to do jwt-parsing (fill TJwtContent) on client side.

For rest-server i see that the JWTContent is accessible via the request. But on client side i don't get the right way to do this.

what i have at the moment.

algo := TJwtAbstract.ExtractAlgo(<idtoken>);
if TextToSignAlgo(algo,a) then

but than who to create the right Jwt-Class via

"jwt := JWT_CLASS[a].Create(...)"

i don't have any secrects and don't know how to set the create the params.

I just want to do something like https://jwt.io

Thank you,
Tobias

Last edited by tfopc (2025-07-09 11:14:46)

Hubert T · 2025-07-09 13:04:34

type
  { TJwtNoCheck }
  TJwtNoCheck=Class(TJwtAbstract)
    procedure CheckSignature(const headpayload: RawUtf8;
      const signature: RawByteString; var jwt: TJwtContent); override;

  end;

procedure TJwtNoCheck.CheckSignature(const headpayload: RawUtf8; const signature: RawByteString; var jwt: TJwtContent);
begin
  jwt.result := jwtValid;
end;

function JwtUnsafeParse(AccessToken: RawUtf8): Variant;
var
  jwtContent: TJwtContent;
  jwt: TJwtNoCheck;
begin
  jwt := TJwtNoCheck.create(TJwtNone.ExtractAlgo(VariantToUtf8(AccessToken)),[], [],0, 0 , '');
  jwt.Options := [joHeaderParse,joAllowUnexpectedClaims,joAllowUnexpectedAudience];
  jwt.Verify(VariantToUtf8(AccessToken), jwtContent);
  Result := Variant(jwtContent.data);
end;

tfopc · 2025-07-09 14:01:43

Hi Hubert,

works perfekt, thank you very much!

changed the function to this, to get also the other infos.

procedure JwtUnsafeParse(AccessToken: RawUtf8; var jwtContent:TJwtContent);
var jwt: TJwtNoCheck;
begin
  FillcharFast(jwtContent,sizeOf(jwtContent),0);
  jwt := TJwtNoCheck.create(TJwtNone.ExtractAlgo(VariantToUtf8(AccessToken)),[], [],0, 0 , '');
  jwt.Options := [joHeaderParse,joAllowUnexpectedClaims,joAllowUnexpectedAudience];
  jwt.Verify(VariantToUtf8(AccessToken), jwtContent);
end;

ab · 2025-07-09 14:23:28

Warnings: your code is leaking memory.
1) Don't forget to call jwt.Free
2) if something is stored in JwtContent fields before calling the functions, then FillCharFast() would leak any RawUtf8 or TDocVariantData stored.

I also don't understand the VariantToUtf8(AccessToken) conversion.

Personnally, I would not use this TJwtNoCheck trick, but the TJwtAbstract.VerifyPayload() class function which was supposed to do what you expect.

tfopc · 2025-07-09 14:41:43

Hi ab,

thanks for the hint. I will try it with TJwtAbstract.VerifyPayload. And the memleak 1) i also realize after my post.

Thanks to both of you!

ab · 2025-07-10 09:14:17

I have added a ParseJwt() official function.
https://github.com/synopse/mORMot2/commit/49d6e4631

It was also the opportunity to rewrite/optimize TJwtAbstract.Parse a bit more.

mORMot Open Source

#1 2025-07-09 11:14:22

Parse JWT-Token (Access/IDToken) to TJwtContent

#2 2025-07-09 13:04:34

Re: Parse JWT-Token (Access/IDToken) to TJwtContent

#3 2025-07-09 14:01:43

Re: Parse JWT-Token (Access/IDToken) to TJwtContent

#4 2025-07-09 14:23:28

Re: Parse JWT-Token (Access/IDToken) to TJwtContent

#5 2025-07-09 14:41:43

Re: Parse JWT-Token (Access/IDToken) to TJwtContent

#6 2025-07-10 09:14:17

Re: Parse JWT-Token (Access/IDToken) to TJwtContent

Board footer