Unable to parse claims without key

[RagguRavi]

Before version 0.12.0 we are able to parse claim in JWT without using key like: Jwts.parser().parseClaimsJwt(jwtWithoutSignature). Is there any alternative if I am using version 0.12.0 or later, I just want to parse claims and I am using algorithm RS256 for.
As I documentation there is method parseUnsecuredClaims() but it is only valid if we have alg: none.

Please suggest me alternative of parseClaimsJwt

[bdemers]

This question comes up from time to time.
From a security perspective this is bad idea and violates the RFC, the first line of the JWS RFC:

JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures

The RFC also goes on to say this about the alg header param (section 4.1.1):

This Header Parameter MUST be present and MUST be understood and processed by implementations.

Ignoring the alg header or processing it differently would not aline with these statements.

---

That said I'd still like to understand your use case. Why do you want to parse the token if you cannot be assured the content is valid?

Have you validated the token some other way? Do you not have access to the public key?

I'd like to keep the discussion going, but if you want a quick and dirty answer....

A JWS (signed JWT) is formatted in 3 parts: <header>.<payload>.<signature>
If all you care about is the <payload> section, you could just strip the other parts off and use a JSON parser.
If you want to use a JWT library to parse the token (maybe you still want to validate other claims?).

You could remove the signature section, and replace the header.
Try this out on https://token.dev/

Start with the token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTcwODAxNzEwNCwiZXhwIjoxNzA4MDIwNzA0fQ.ixyrJBMS7txcLJJQ6hxVmarcE8IVD2jqbSvNJl5IWj4

Remove the signature:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTcwODAxNzEwNCwiZXhwIjoxNzA4MDIwNzA0fQ

Then replace the header with eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0 (the header for a non-signed JWT) and you could parse it with a JWT library

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTcwODAxNzEwNCwiZXhwIjoxNzA4MDIwNzA0fQ

Notice that the middle section of the original JWT did not change in the last block

You can base64 URL decode it and you would see:

{"sub":"1234567890","name":"John Doe","admin":true,"iat":1708017104,"exp":1708020704}

Important

The decoding of the payload is the easy part, the heavy lifting (and the important part) performed by JJWT is dealing with all of the security related concerns around tokens.