Search Unity

  1. Unity 6 Preview is now available. To find out what's new, have a look at our Unity 6 Preview blog post.
    Dismiss Notice
  2. Unity is excited to announce that we will be collaborating with TheXPlace for a summer game jam from June 13 - June 19. Learn more.
    Dismiss Notice

Resolved JWT token decryption within Unity?

Discussion in 'Scripting' started by Saeed-Barari, Feb 23, 2023.

  1. Saeed-Barari

    Saeed-Barari

    Joined:
    Jul 12, 2021
    Posts:
    63
    Hey, I've recently had the need to decrypt some JWT token in the game and the class
    JwtSecurityTokenHandler
    is unavailable in Unity (@ 2021 at least). I seeked alternative raw coding solutions to implement it on my own, but found it's much more complex that I'd hoped for. is there an easier hack out there that's:
    1. Not vulnerable
    2. As little dependencies as possible
    ?

    thanks in advance!
     
  2. SF_FrankvHoof

    SF_FrankvHoof

    Joined:
    Apr 1, 2022
    Posts:
    780
  3. Saeed-Barari

    Saeed-Barari

    Joined:
    Jul 12, 2021
    Posts:
    63
    Just tested it. it does not go well with Unity, at least not out of the box. some classes it's using are missing (i.e. ILogger,
    AuthenticateResult) which means it has some dependencies. I prefer to not go down the route of importing all it's dependencies, as each could have their own set of dependencies... i was hoping for a more simple and Unity-polished solution to decoding JWT tokens
     
  4. Bunny83

    Bunny83

    Joined:
    Oct 18, 2010
    Posts:
    4,113
    JWTs are not encrypted at all. They are simply encoded as concatenated base64 strings. The structure is explained right here. So you can simply split the token at the "." so you have the 3 parts seperated. You can use FromBase64String to get the content. Though be careful as JWT usually uses base64URL which do not use
    +
    and
    /
    as the last two characters but
    -
    and
    _
    so it's save to be used in an url. So you probably want to replace them before decoding,

    The content is usualy utf8 strings. So you can use
    System.Text.Encoding.UTF8.GetString(byteArray)
    to get the actual string. Since the string of the header and payload are both just json, you just need to read / convert the json as you need it.

    You can use Unity's JsonUtility and create serializable classes that represents the json objects and the fields you're interested it. An alternative would be to use any other Json parser (like my SimpleJSON) to more easily access the json data.

    Actually verifying the signature is a bit more complicated. Though you just said that you want to access the data which you can that way.
     
    Last edited: Feb 28, 2024
    Saeed-Barari likes this.
  5. SF_FrankvHoof

    SF_FrankvHoof

    Joined:
    Apr 1, 2022
    Posts:
    780
    Saeed-Barari and Bunny83 like this.
  6. Saeed-Barari

    Saeed-Barari

    Joined:
    Jul 12, 2021
    Posts:
    63
    thanks for detailed reply excuse the misunderstanding my little knowledge of networking has caused, what I want is also the verification of the signature. I've looked it up to try to create my own implementation of the algorithm but it seemed more complex than I hoped...

    edit: json part is not a problem. we have JosnConvert
     
  7. Saeed-Barari

    Saeed-Barari

    Joined:
    Jul 12, 2021
    Posts:
    63
  8. SF_FrankvHoof

    SF_FrankvHoof

    Joined:
    Apr 1, 2022
    Posts:
    780
    The Jwt.NET I posted above also seems to have a version for .NET 4-4.8
    That one should probably work with Unity? (as long as you set your backend to .NET framework).
    Otherwise try the .NET 3.5 one.

    NuGet Gallery | JWT 10.0.2
    .NETFramework 4.0 seems to only have NewtonSoft as dependency.
     
    Saeed-Barari likes this.
  9. Bunny83

    Bunny83

    Joined:
    Oct 18, 2010
    Posts:
    4,113
    Well, support for all hashing algorithms can never be guaranteed. Apart from that the specific implementation that Frank suggested only supports HMAC as hashing algorithm (specifically HS256,HS384 and HS512). Though a JWT token could also use RSA to sign the token and potentially other hashing / signing methods. Technology advances and code can never be future safe, only for a limited amout of time. So it may depend on your specific token, where you get it from and what algorithm it uses. When the header contains an algorithm that your class does not support, it can not verify it.
     
  10. Saeed-Barari

    Saeed-Barari

    Joined:
    Jul 12, 2021
    Posts:
    63
    Thanks everyone :D The goal of my task was changed (rather, I had misunderstood it) and it seems I don't need to verify the integrity of the token, so I'll just have to take the string out of the middle part of the token (body). which can easily be done as Bunny83 mentioned here.

    + As for future people who could come across this problem, I found no issues using the old Github repo mentioned here, and even though I can't guarantee it builds for all Unity platforms, it's been the best solution I'd found so far. I tried SF_FrankvHoof's suggestion to use the official .Net JWT decoder, but I found some pragma defining issues, probably fixable if you dig more into it, but I didn't.
     
  11. elyeskacemeducation

    elyeskacemeducation

    Joined:
    Mar 8, 2022
    Posts:
    1
    Hello, I found this solution and it works to me :

    Code (CSharp):
    1. var parts = token.Split('.');
    2. if (parts.Length > 2)
    3. {
    4.     var decode = parts[1];
    5.     var padLength = 4 - decode.Length % 4;
    6.     if (padLength < 4)
    7.     {
    8.         decode += new string('=', padLength);
    9.     }
    10.     var bytes = System.Convert.FromBase64String(decode);
    11.     var userInfo = System.Text.ASCIIEncoding.ASCII.GetString(bytes);
    12. }

    Source : https://stackoverflow.com/questions/31242420/how-to-use-json-web-token-jwt-in-unity-3d
     
    Bunny83 likes this.
  12. Bunny83

    Bunny83

    Joined:
    Oct 18, 2010
    Posts:
    4,113
    Note that this implementation does not necessarily work as JWT uses "base64-URL" and not the "normal" base64 encoding. Here's a proper implementation to encode / decode the base64 strings.
     
  13. Phan-Phantz

    Phan-Phantz

    Joined:
    Nov 11, 2015
    Posts:
    18
    For anyone who needs to decode a JWT token that may contain non-English language (in my case, Thai) This solution is also not working.

    What I ended up doing was using the NuGet package manager to download the JWT package mentioned by @Bunny83 then do something like this :

    Code (CSharp):
    1. var decodedJwt = JwtBuilder.Create()
    2.                     .DoNotVerifySignature()
    3.                     .Decode(input);