I always get invalid signature when I input the generated token in jwt.io Here is my code for making the token
const secret = 'secret';
const token = jwt.sign({
username: user.username,
userID: user._id
},
secret, {
expiresIn: "1hr"
}
);
What did I do wrong?
I'm using the jsonwebtoken package. https://github.com/auth0/node-jsonwebtoken
For Invalid JWT Signature, check if your service account key has expired. Go to your APIs & Services to add a new key if it has.
Verify RS256-signed tokensGo to Dashboard > Applications. Go to the Settings view, and open Advanced Settings. Go to the Certificates view, locate the Signed Certificate field, and copy the Public Key. Navigate to the JWT.io website, locate the Algorithm dropdown, and select RS256.
Reasons why a token might be invalid include: The token is missing required fields. The token has all the required fields, but some values are incorrect. Verify that the kid claim matches the key identifier used to sign the token, and that the iss claim matches the 10-character Team ID for your Apple Developer Account.
If you are using jsonwebtoken lib, I tried and able to create the token and verify as well. Please have a look at the code and let me know in comments if you are still facing the issue.
var jwt = require('jsonwebtoken')
const secret = 'secret';
const token = jwt.sign({
username: "",
userID: 1
},
secret, {
expiresIn: "1hr"
},
function(err, token) {
if (err) {
console.log(err);
} else {
console.log(token);
}
});
Here is the link of jwt.io where I entered your secret used and it's saying verified.
https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IiIsInVzZXJJRCI6MSwiaWF0IjoxNTI4NTUyMDYyLCJleHAiOjE1Mjg1NTU2NjJ9.raL79zTGONyXgr9vuXzAyMflHJ0JqPYTXsy9KwmlXhA
TL_DR:
Extract the first key from the keys
array in the JSON returned by the https://example.com/.well-known/jwks
, and paste it in the first textbox of VERIFY SIGNATURE
section of jwt.io page. of course, example.com
is the domain where you hosted your OpenIddict auth server. Could also be something like https://example.com/my/auth/server/
.
The whole story:
When you paste the JWT in jwt.io, it does this:
If the step 1. fails to decode the payload, that's because the token is encoded. To solve this problem, modify the OpeIddict config by adding .DisableAccessTokenEncryption();
The step 2, signature validation, is done by getting the issuer iss
field form the PAYLOAD
section:
and use it as the base URI to invoke the /.well-known/openid-configuration
, which includes the JWKS uri, which looks like
"jwks_uri": "https://example.com/.well-known/jwks"
jwt.io can fail to get this data for example:
https://localhost
, which isn't accesible from internet, just like the https://localhost:5001
of this exampleIf this is the case, there is an option to solve the problem: paste the appropriate string in the upper textbox of VERIFY SIGNATURE
section, which has this placeholder:
Public key in SPKI, PKCS #1, X.509 certificate, or JWK string format.
What is the right string to apste there? It's easy if you take into account 2 details:
https://example.com/.well-known/jwks
endpointSo, invoke the enpoint, get the JWKS which looks like this:
{
"keys": [
{
"kid": "2727AC6EB83977...",
"use": "sig",
"kty": "RSA",
"alg": "RS256",
"e": "AQAB",
"n": "6tSSW3rz53Xj3w...",
"x5t": "Jyesbrg5d_2M...",
"x5c": [
"MIIC9TCCAd2gAwIBAgIJAKL..."
]
}
]
}
and extract the JWK which is simply the first entry in the "keys"
array, i.e
{
"kid": "2727AC6EB83977...",
"use": "sig",
"kty": "RSA",
"alg": "RS256",
"e": "AQAB",
"n": "6tSSW3rz53Xj3w...",
"x5t": "Jyesbrg5d_2M...",
"x5c": [
"MIIC9TCCAd2gAwIBAgIJAKL..."
]
}
Paste this value in the textbox, and you'll get the blue "Signature verified" message, as you can see at the bottom of the first snapshot.
NOTE: depending on the configuration (AddEphemeralSigningKey()
, AddDevelopmentSigningCertificate()
, etc.), the JWKS keys can have more or less properties, but it should work anyway.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With