Token signature invalid error

Question

I've this error thrown

com.auth0.jwt.exceptions.SignatureVerificationException: The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA256

private static String SECRET = "some secret...";

public static DecodedJWT verify(String token) throws JWTVerificationException, UnsupportedEncodingException {
    JWTVerifier verifier = JWT.require(Algorithm.HMAC256(SECRET))
            .withIssuer("auth0")
            .acceptLeeway(1)
            .acceptExpiresAt(5 * 60)
            .build();

    return verifier.verify(token);
}

Is there some problem with the secret, on the website jwt.io I click on the secret base 64 encoded then it turns blue.

I tried encoding my secret in base 64 using https://www.base64encode.net but same problem. please advise.

Answer 1

The javadoc says you need to provide raw secret value. That means you need to base64-decode the value you currently have:

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;

import java.io.UnsupportedEncodingException;
import java.util.Base64;

public class JwtVerification {

    private static final String SECRET = "zZrq0sZK1yt9RJk51RTJ/jeU6WERbvr8nqKMWQJRX1E=";

    public static DecodedJWT verify(String token) throws JWTVerificationException, UnsupportedEncodingException {
        JWTVerifier verifier = JWT.require(Algorithm.HMAC256(Base64.getDecoder().decode(SECRET)))
                .withIssuer("auth0")
                .acceptLeeway(1)
                .acceptExpiresAt(5 * 60)
                .build();

        return verifier.verify(token);
    }

    public static void main(String[] args) throws UnsupportedEncodingException {
        final String token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0aWQiOiJiZWJlMjM4Zi1iMGM4LTQwYzMtOTYyMC1jZDRlOGUyMzIwZGMiLCJvaWQiOiI5MjJjMmZiNC0zNWI1LTExZDctOWE2NC0wMGIwZDBmY2I5ZTMiLCJzdWIiOiI5MjJjMmZiNC0zNWI1LTExZDctOWE2NC0wMGIwZDBmY2I5ZTMiLCJlbWFpbCI6InRlc3RAdGVzdC5jb20iLCJpYXQiOjE1MTg0NDk5NzYsImV4cCI6MTUxODQ1MzU3NiwibmJmIjoxNTE4NDQ5OTc2fQ.6InknrU67g_HEkaLxD9Ul5vOzbYGf54mJNcSyPr-xek";
        System.out.println(verify(token));
    }
}

I currently get this exception, but it looks like a problem with the token itself:

Exception in thread "main" com.auth0.jwt.exceptions.InvalidClaimException: The Claim 'iss' value doesn't match the required one.
    at com.auth0.jwt.JWTVerifier.assertValidStringClaim(JWTVerifier.java:424)
    at com.auth0.jwt.JWTVerifier.verifyClaims(JWTVerifier.java:382)
    at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:355)
    at com.swiftkey.parametron.data.JWT2.verify(JWT2.java:23)
    at com.swiftkey.parametron.data.JWT2.main(JWT2.java:28)

Indeed, the token does not specify iss field, but the verifier expects it to be "auth0" because of .withIssuer("auth0").

If you look inside the token:

        final String token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0aWQiOiJiZWJlMjM4Zi1iMGM4LTQwYzMtOTYyMC1jZDRlOGUyMzIwZGMiLCJvaWQiOiI5MjJjMmZiNC0zNWI1LTExZDctOWE2NC0wMGIwZDBmY2I5ZTMiLCJzdWIiOiI5MjJjMmZiNC0zNWI1LTExZDctOWE2NC0wMGIwZDBmY2I5ZTMiLCJlbWFpbCI6InRlc3RAdGVzdC5jb20iLCJpYXQiOjE1MTg0NDk5NzYsImV4cCI6MTUxODQ1MzU3NiwibmJmIjoxNTE4NDQ5OTc2fQ.6InknrU67g_HEkaLxD9Ul5vOzbYGf54mJNcSyPr-xek";
        final DecodedJWT decodedJwt = JWT.decode(token);
        System.out.println("Header =  " + decodedJwt.getHeader());
        System.out.println("Algorithm =  " + decodedJwt.getAlgorithm());
        System.out.println("Audience =  " + decodedJwt.getAudience());
        decodedJwt.getClaims().forEach((k, v) -> {
            System.out.println("Claim " + k + " = " + v.asString());
        });
        System.out.println("ContentType =  " + decodedJwt.getContentType());
        System.out.println("ExpiresAt =  " + decodedJwt.getExpiresAt());
        System.out.println("Id =  " + decodedJwt.getId());
        System.out.println("Issuer =  " + decodedJwt.getIssuer());
        System.out.println("Subject =  " + decodedJwt.getSubject());

You will see that the Issuer field is null

Header =  eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
Algorithm =  HS256
Audience =  null
Claim sub = 922c2fb4-35b5-11d7-9a64-00b0d0fcb9e3
Claim nbf = null
Claim oid = 922c2fb4-35b5-11d7-9a64-00b0d0fcb9e3
Claim exp = null
Claim iat = null
Claim tid = bebe238f-b0c8-40c3-9620-cd4e8e2320dc
Claim email = [email protected]
ContentType =  null
ExpiresAt =  Mon Feb 12 16:39:36 GMT 2018
Id =  null
Issuer =  null
Subject =  922c2fb4-35b5-11d7-9a64-00b0d0fcb9e3

Whoever generated that token did not specify the Issuer (aka iss) field. Thus the verification fails, because we set up the verifier to expect iss equal to auth0.