Decode WSO2 App Manager generated JWT in PHP Web App

In this post we are going to see how to decode the JWT token in a PHP app which is published through APP Manager.

Environment – Ubuntu
IDE – NetBeans
JWT library for php – firebase/php-jwt
Server – apache web server

1. Create PHP web app to decode the JWT token and display

1.1 Create a new PHP project in netbeans – Lets say JWTDecode

1.2 Add the  firebase/php-jwt library as dependency to the project

Install composer to ubuntu. (Find what is composer and how to use it here)
Add firebase/php-jwt library as dependency to project using composer.

a. Right click the project -> composer->add dependency


b. Type firebase/php-jwt in token text box and search. Select the firebase/php-jwt from
the search result. Select the latest release version and press require button


c. Once dependency is added project will look like this


1.3 Write code to decode and display jwt token. Add follwoing code to index.php

//for login
openlog("myScriptLog", LOG_PID | LOG_PERROR, LOG_LOCAL0);
//include firbase jwt library
use \Firebase\JWT\JWT;
//public key of appmanager(default wso2cabon servers public key)
$publicKey = "-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----

$headers = getallheaders();
//Read jwt token from http header X-JWT-Assertion;
$encodedJwtToken = $headers['X-JWT-Assertion'];
echo "<b>encoded jwt token recevied from appamanger</b>
echo $encodedJwtToken."";

//decode the token with signature verification.
$decodedJwtToken = JWT::decode($encodedJwtToken, $publicKey, array('RS256'));
echo "<b>decoded jwt token payload :</b>"."

foreach($decodedJwtToken as $key=>$val){
echo $key . ': ' . $val . '';


2. Deploy the created web app in apache web server
(How to install Apache webs server on Ubuntu can be found here)

2.1 Navigate to  /var/www/ directory and add the web app
2.2 Start the Apache server  with command “sudo /etc/init.d/apache2 start”. Now web app can be directly access with url : http://localhost/JWTDecode/

3. Publish the deployed web app through app manager  to decode and display the jwt token 

3.1 Publish the app through App Manager (give the create webapp url http://localhost/JWTDecode/ as web app url )


3.2  Go to the store find the created web app (jwt demo) and access the url http://xxxx:8280/jwt/1/.  As you can see in the image .,JWT sent from gateway to back-end app is processed(decoded) and displayed.

By default only role claim is sent to the back-end web app. If you want to send more claims of user  then you have to do following steps
a.  Set <AddClaimsSelectively> element value as ‘true’ in  <AppM_HOME>/repository/conf/app-manager.xml
b. Restart the App Manager server
c. Go to the edit view of created web app in publisher web app
d. Under advanced configuration select the claims which should be included in JWT


e. Update and access the web app .Now you will get selected claims in JWT



Download the sample php project here


WSO2 App Manager -Extract JWT token from wire log

App Manager provides SSO based on SAML for web apps published through it.So developers no need to worry about handling authentication in their web apps. They can develop unsecured web app and simply secure it via App Manager.

When a user try to access the unsecured web app though app manager(gateway component), authentication will be checked at gateway. If user is authenticated successfully he/she will be allowed to access the unsecured web app through gateway.

In some cases , unsecured web app may need the information of authenticated user to provide data/details related authenticated user.In such scenarios gateway should send the authenticated user information securely to the back end. Gateway is capable to send authenticated user’s information to back end app using JWT[1].  Configuring App Manager for JWT support can be found here[2].

In this post I am going to discuss on how to

1. Extract the encoded JWT token which is sent to back end web app by App Manager gateway.

2. Decode and verify the signature of the extracted token.

1. Extract the encoded JWT token

By default encoded JWT token is attached to “X-JWT-Assertion” http header. You can change the header where JWT token should be attached by configuring
<SecurityContextHeader/>  element in app-manger.xml[2].

By enabling the wire log in gateway ,  can find all the messages coming in to gateway and going out from gateway. So encoded JWT token can be extracted from the messages which going out from gateway to back end application.

1. Enable wire log
a. Open 
open file from <APPM_HOME>/repository/config
b. Un-comment the following entry.

2. Invoke the web app through gateway

3. Extract the message with http header X-JWT-Assertion

[2016-02-22 11:19:50,709] DEBUG – wire << “X-JWT-Assertion: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5rSkdPRVV4TXpaRlFqTTJSRFJCTlRaRlFUQTFRemRCUlRSQ09VRTBOVUkyTTBKR09UYzFSQT09In0=.eyJpc3MiOiJ3c28yLm9yZy9wcm9kdWN0cy9hcHBtIiwiZXhwIjoxNDU2MTIwOTE0NDM2LCJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL3JvbGUiOiJJbnRlcm5hbC9hcHAxLXNpdGUtMSxJbnRlcm5hbC9hcHAxLXdlYi0xLEludGVybmFsL3B1Ymxpc2hlcixJbnRlcm5hbC9qd3QtMSxJbnRlcm5hbC9QbGFuWW91clRyaXBfYWRtaW4tMS4wLjAsSW50ZXJuYWwvYW5vbjEtc2l0ZS0xLEludGVybmFsL2NyZWF0b3IsYWRtaW4sSW50ZXJuYWwvcm9sZS13ZWJhcHAtMSxJbnRlcm5hbC9zdWJzY3JpYmVyLEludGVybmFsL3N0b3JlLWFkbWluLEludGVybmFsL2V2ZXJ5b25lLEludGVybmFsL2Fub24xLXdlYmFwcC0xIn0=.D17S22rLu+jjqEXrcqK9CnZuUGrIOVT7zPoUIq+AsnQTSqyUsvsR7CSvLK23w5hNrRapTgRdoCem2OxMLd3eLXZQN1mnMI4rzh+yYst8WhssPYC+RgedXf/J79PWTitg1ZJf/dogwUTx81YB7/gXlh8Tp34qf0djxVcwbpL/THA=[\r][\n]”

4. Extract the encoded JWT token(which is in bold text) from above message
Encoded token

2. Decode and verify the signature of the extracted token
Here we are not going to focus on how to decode the token in detail. Instead we are going to user the to decode the token and and verify the signature.

1. Copy the extracted token and paste to debugger tool.
It will decode the token and display the header and payload of the token.but as you can see in the image signature is not verified.

2. Verify the signature.

By default app manager(gateway) sign the jwt token with RS256 algorithm. This information should be available in the jwt token header(“alg”: “RS256”,) .  You can find more on signature configuration here[2].

To verify the signature in for RS256, we need to provided the certificate of gateway .

This is the default public key of carbon server.


Copy and paste the above key  to text box which require public key in debugger. Now as you can see in the image signature is verified