CODEWITHSUNDEEP
javajwt
Andayz
Andayz

Reputation: 155

JWT invalid signature

I am trying to develop my app using json web token. I decided to use jjwt but it doesn't work. I have a following snippet

Jwts.parser()
        .setSigningKey(secretKey)
        .parseClaimsJws(token)
        .getBody()

which always throws exception.

I tried to generate token with the following code

String compactJws = Jwts.builder()
            .setSubject("Joe")
            .signWith(SignatureAlgorithm.HS256, "secret")
            .compact();

and when I pasted this token here https://jwt.io/ I got the information that it is invalid. What is wrong ?

Upvotes: 4

Views: 8889

Answers (2)

Brajesh
Brajesh

Reputation: 1555

I think your are doing something wrong with * .setSigningKey(secretKey) *. Here is full code which illustrates that how you can validate tokens using JWT. 

package com.brajesh.test;
import java.security.Key;
import java.util.Date;
import java.util.UUID;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

public class JwtTokenDemo {

    private String secretKey;

    public static void main(String[] args) {
        JwtTokenDemo jwtTokenDemo = new JwtTokenDemo();
        String tokens = jwtTokenDemo.createJWT("123", "thriev.com", "[email protected]", 12999L);
        System.out.println("tokens : "+tokens);

        System.out.println("========AFTER============");
        jwtTokenDemo.parseJWT(tokens);
    }


    //Sample method to validate and read the JWT
    private void parseJWT(String jwt) {
    //This line will throw an exception if it is not a signed JWS (as expected)
    Claims claims = Jwts.parser()         
       .setSigningKey(DatatypeConverter.parseBase64Binary(secretKey))
       .parseClaimsJws(jwt).getBody();
        System.out.println("ID: " + claims.getId());
        System.out.println("Subject: " + claims.getSubject());
        System.out.println("Issuer: " + claims.getIssuer());
        System.out.println("Expiration: " + claims.getExpiration());
    }
/**
 * 
 * @param id
 * @param issuer
 * @param subject
 * @param ttlMillis
 * @return
 */
private String createJWT(String id, String issuer, String subject, long ttlMillis) {

  //The JWT signature algorithm we will be using to sign the token
  SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;

  long nowMillis = System.currentTimeMillis();
  Date now = new Date(nowMillis);
  String keys = UUID.randomUUID().toString();
  System.out.println(keys);
  this.secretKey = keys;

  byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary(keys);
  Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());


  JwtBuilder builder = Jwts.builder().setId(id)
                              .setIssuedAt(now)
                              .setSubject(subject)
                              .setIssuer(issuer)
                              .signWith(signatureAlgorithm, signingKey);

  if (ttlMillis >= 0) {
  long expMillis = nowMillis + ttlMillis;
      Date exp = new Date(expMillis);
      builder.setExpiration(exp);
  }
  return builder.compact();
}
}

Upvotes: 1

Daniel Arechiga
Daniel Arechiga

Reputation: 967

You're passing a plain text key in signWith method, that's the problem;

As per JJWT source code: 

/** 
331      * Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS. 
332      * 
333      * <p>This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting 
334      * byte array is used to invoke {@link #signWith(SignatureAlgorithm, byte[])}.</p> 
335      * 
336      * @param alg                    the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS. 
337      * @param base64EncodedSecretKey the BASE64-encoded algorithm-specific signing key to use to digitally sign the 
338      *                               JWT. 
339      * @return the builder for method chaining. 
340      */ 
341     JwtBuilder signWith(SignatureAlgorithm alg, String base64EncodedSecretKey); 
342 

343     /** 
344      * Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS. 
345      * 
346      * @param alg the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS. 
347      * @param key the algorithm-specific signing key to use to digitally sign the JWT. 
348      * @return the builder for method chaining. 
349      */ 
350     JwtBuilder signWith(SignatureAlgorithm alg, Key key);

pass a base-64 string containing the key, or declare a Key object and pass the relevant information to build it. such as in the example:

byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary("c2VjcmV0");//this has to be base-64 encoded, it reads 'secret' if we de-encoded it
Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());

  //Let's set the JWT Claims
JwtBuilder builder = Jwts.builder().setId(id)
                                .setIssuedAt(now)
                                .setSubject(subject)
                                .setIssuer(issuer)
                                .signWith(signatureAlgorithm, signingKey);

Upvotes: 1

Related Questions