Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Always getting invalid signature in jwt.io

I always get invalid signature when I input the generated token in jwt.io Here is my code for making the token

const secret = 'secret';
const token = jwt.sign({
    username: user.username,
    userID: user._id
  },
  secret, {
    expiresIn: "1hr"
  }
);

What did I do wrong?

I'm using the jsonwebtoken package. https://github.com/auth0/node-jsonwebtoken

like image 265
thegreathypocrite Avatar asked Jun 09 '18 13:06

thegreathypocrite


People also ask

How do I fix invalid signature in JWT?

For Invalid JWT Signature, check if your service account key has expired. Go to your APIs & Services to add a new key if it has.

How do I verify my signature on JWT io?

Verify RS256-signed tokensGo to Dashboard > Applications. Go to the Settings view, and open Advanced Settings. Go to the Certificates view, locate the Signed Certificate field, and copy the Public Key. Navigate to the JWT.io website, locate the Algorithm dropdown, and select RS256.

What is invalid JWT token?

Reasons why a token might be invalid include: The token is missing required fields. The token has all the required fields, but some values are incorrect. Verify that the kid claim matches the key identifier used to sign the token, and that the iss claim matches the 10-character Team ID for your Apple Developer Account.


2 Answers

If you are using jsonwebtoken lib, I tried and able to create the token and verify as well. Please have a look at the code and let me know in comments if you are still facing the issue.

var jwt = require('jsonwebtoken')

const secret = 'secret';
const token = jwt.sign({
        username: "",
        userID: 1
    },
    secret, {
        expiresIn: "1hr"
    },
    function(err, token) {
        if (err) {
            console.log(err);
        } else {
            console.log(token);
        }
    });

Here is the link of jwt.io where I entered your secret used and it's saying verified.

https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IiIsInVzZXJJRCI6MSwiaWF0IjoxNTI4NTUyMDYyLCJleHAiOjE1Mjg1NTU2NjJ9.raL79zTGONyXgr9vuXzAyMflHJ0JqPYTXsy9KwmlXhA

enter image description here

like image 79
Suresh Prajapati Avatar answered Sep 28 '22 02:09

Suresh Prajapati


TL_DR:

Extract the first key from the keys array in the JSON returned by the https://example.com/.well-known/jwks, and paste it in the first textbox of VERIFY SIGNATURE section of jwt.io page. of course, example.com is the domain where you hosted your OpenIddict auth server. Could also be something like https://example.com/my/auth/server/. jwt.io interface

The whole story:

When you paste the JWT in jwt.io, it does this:

  1. decodes the token, and show the header and the payload on the right
  2. tries to validate the signature

If the step 1. fails to decode the payload, that's because the token is encoded. To solve this problem, modify the OpeIddict config by adding .DisableAccessTokenEncryption();

The step 2, signature validation, is done by getting the issuer iss field form the PAYLOAD section: enter image description here

and use it as the base URI to invoke the /.well-known/openid-configuration, which includes the JWKS uri, which looks like "jwks_uri": "https://example.com/.well-known/jwks"

jwt.io can fail to get this data for example:

  • if you're testing in https://localhost, which isn't accesible from internet, just like the https://localhost:5001 of this example
  • because the request is rejected by any other reason (unkown domain, firewall...)

If this is the case, there is an option to solve the problem: paste the appropriate string in the upper textbox of VERIFY SIGNATURE section, which has this placeholder:

Public key in SPKI, PKCS #1, X.509 certificate, or JWK string format.

What is the right string to apste there? It's easy if you take into account 2 details:

  1. you can get the JSON with this info from the aforementioned https://example.com/.well-known/jwks endpoint
  2. the info returned is a JWKS string, but a JWK is required.

So, invoke the enpoint, get the JWKS which looks like this:

{
  "keys": [
    {
      "kid": "2727AC6EB83977...",
      "use": "sig",
      "kty": "RSA",
      "alg": "RS256",
      "e": "AQAB",
      "n": "6tSSW3rz53Xj3w...",
      "x5t": "Jyesbrg5d_2M...",
      "x5c": [
        "MIIC9TCCAd2gAwIBAgIJAKL..."
      ]
    }
  ]
}

and extract the JWK which is simply the first entry in the "keys" array, i.e

{
  "kid": "2727AC6EB83977...",
  "use": "sig",
  "kty": "RSA",
  "alg": "RS256",
  "e": "AQAB",
  "n": "6tSSW3rz53Xj3w...",
  "x5t": "Jyesbrg5d_2M...",
  "x5c": [
        "MIIC9TCCAd2gAwIBAgIJAKL..."
   ]
}

Paste this value in the textbox, and you'll get the blue "Signature verified" message, as you can see at the bottom of the first snapshot.

NOTE: depending on the configuration (AddEphemeralSigningKey(), AddDevelopmentSigningCertificate(), etc.), the JWKS keys can have more or less properties, but it should work anyway.

like image 26
JotaBe Avatar answered Sep 28 '22 00:09

JotaBe