Decode JSON Web Token in CF2025.

Question

I'm working on building an interface with ID.me. I am currently getting back a valid JWT from the ID.me API (it successfully decodes using JWT.IO) but I'm having trouble decoding it in ColdFusion. The CF function VerifySignedJWT has three required parameters and, I believe, I am having trouble with the second parameter signOptions. The CF documentation indicates this parameter should be a strcut containing the key, KeyPair, JWK-JSON Web Keyset URL or file or string, Keystore file, keystore password, keystore alias.

I am retrieveing the key array from the JWK-JSON Web Keyset URL (ID.me's well known endpoint) but am stuck here. When I attempt to decode using
        <cftry>
            <cfset payload = VerifySignedJWT(idToken, key, c)>
            <cfcatch type="any">
                <cfdump var = '#cfcatch#'>
                <cfabort>
            </cfcatch>
        </cftry>
where ‘key’ is the RS256 key struct from the key array returned from the well-known endpoint.

I am getting the exception

struct

Detail	Either the keystore path is invalid or corrupt or the keystore password is wrong.
Message	Error in loading keystore.
StackTrace	coldfusion.util.KeystoreUtils$InvalidKeystoreException: Error in loading keystore. at coldfusion.util.KeystoreUtils.getKeyPair(KeystoreUtils.java:93) at coldfusion.jwt.StandardJwtProvider.verifySignedJwt(StandardJwtProvider.java:148) at coldfusion.runtime.CFPage.VerifySignedJWT(CFPage.java:18615) at cfidme2ecfc1636214689$funcDECODEIDTOKEN.runFunction(……

I have tried using the well-known enpoint URL, the full struct of keys (httpResult) returned from the well-known endpoint, just the RS256 key struct contained withing the httpResult array of keys. I keep getting the same error.

I can decode the token returned from the API at JWT.IO and I can validate the token, using the key returned from the well-known endpoint, at JWT.IO.

What am I missing?
Thanks!

johnn80483458 · Accepted Answer

@BKBK thank you so much for your responses.  They helped me to rethink the approach I have been taking.  The built-in JWT functions are not the solution in this case.  As I mentioned in my original post, the JWT I am getting from ID.me can be decoded using an online tool such as JWT.IO so everything needed is contained in the JWT.  The JWT consists of three Base64URL enconded strings delimited by periods (.)  The solution is to separate the JWT into its three component parts (listToArray) and thn use CF's binaryDecode to get the component part back into binary data and then convert the binary data into a string.  Doing this on the second component element in the ID.me token get's the 'Payload' of the token.  Hope this helps someone else in the future.

BKBK · Answer

I don't think you are missing anything. My guess is that VerifySignedJWT() in ColdFusion 2025 does not support remote JWKS URLs. So, when you retrieve the key from the JWK-JSON Web Keyset URL

https://api.idmelabs.com/oidc/.well-known/jwks

ColdFusion treats that as a keystore reference, not as a JWKS endpoint. As a result, ColdFusion tries to load it as a Java keystore file. That would explain why you get: "Either the keystore path is invalid or corrupt or the keystore password is wrong".

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded