CODEWITHSUNDEEP
node.jsjwtjwt.io
thegreathypocrite
thegreathypocrite

Reputation: 2363

Always getting invalid signature in jwt.io

I always get invalid signature when I input the generated token in jwt.io Here is my code for making the token

const secret = 'secret';
const token = jwt.sign({
    username: user.username,
    userID: user._id
  },
  secret, {
    expiresIn: "1hr"
  }
);

What did I do wrong?

I'm using the jsonwebtoken package. https://github.com/auth0/node-jsonwebtoken

Upvotes: 40

Views: 125734

Answers (6)

Binyam
Binyam

Reputation: 61

In my case, I forgot to put my secret keys in "VERIFY SIGNATURE" (Right hand side, after "HEADER" and "PAYLOAD" boxes). Empty secret key in jwt.io doesn't show any error to user as of May 2023, while checking their token validation - most users get this error of Invalid Signature. Make sure to put the secret key string after:

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), enter_here_your_secret_key)

Add secret key

JWT.IO

Upvotes: 6

anderspitman
anderspitman

Reputation: 10540

In my case, jwt.io was failing to retrieve my public keys (as described above) because my server wasn't returning CORS headers to allow a frontend JavaScript app like jwt.io to access the proper endpoints.

Upvotes: 0

JotaBe
JotaBe

Reputation: 39055

TL_DR:

Extract the first key from the keys array in the JSON returned by the https://example.com/.well-known/jwks, and paste it in the first textbox of VERIFY SIGNATURE section of jwt.io page. Of course, example.com is the domain where you hosted your OpenIddict auth server. Could also be something like https://example.com/my/auth/server/. jwt.io interface

The whole story:

When you paste the JWT in jwt.io, it does this:

  1. decodes the token, and shows the header and the payload on the right
  2. tries to validate the signature

If the step 1. fails to decode the payload, that's because the token is encoded. To solve this problem, modify the OpenIddict config by adding .DisableAccessTokenEncryption();

The step 2, signature validation, is done by getting the issuer iss field from the PAYLOAD section: enter image description here

and uses it as the base URI to invoke the /.well-known/openid-configuration, which includes the JWKS uri, which looks like "jwks_uri": "https://example.com/.well-known/jwks"

jwt.io can fail to get this data for example:

  • if you're testing in https://localhost, which isn't accessible from internet, just like the https://localhost:5001 of this example
  • because the request is rejected by any other reason (unknown domain, firewall...)

If this is the case, there is an option to solve the problem: paste the appropriate string in the upper textbox of VERIFY SIGNATURE section, which has this placeholder:

Public key in SPKI, PKCS #1, X.509 certificate, or JWK string format.

What is the right string to paste there? It's easy if you take into account 2 details:

  1. you can get the JSON with this info from the aforementioned https://example.com/.well-known/jwks endpoint
  2. the info returned is a JWKS string, but a JWK is required.

So, invoke the enpoint, get the JWKS which looks like this:

{
  "keys": [
    {
      "kid": "2727AC6EB83977...",
      "use": "sig",
      "kty": "RSA",
      "alg": "RS256",
      "e": "AQAB",
      "n": "6tSSW3rz53Xj3w...",
      "x5t": "Jyesbrg5d_2M...",
      "x5c": [
        "MIIC9TCCAd2gAwIBAgIJAKL..."
      ]
    }
  ]
}

and extract the JWK which is simply the first entry in the "keys" array, i.e

{
  "kid": "2727AC6EB83977...",
  "use": "sig",
  "kty": "RSA",
  "alg": "RS256",
  "e": "AQAB",
  "n": "6tSSW3rz53Xj3w...",
  "x5t": "Jyesbrg5d_2M...",
  "x5c": [
        "MIIC9TCCAd2gAwIBAgIJAKL..."
   ]
}

Paste this value in the textbox, and you'll get the blue "Signature verified" message, as you can see at the bottom of the first snapshot.

NOTE: depending on the configuration (AddEphemeralSigningKey(), AddDevelopmentSigningCertificate(), etc.), the JWKS keys can have more or less properties, but it should work anyway.

Upvotes: 39

nyguerrillagirl
nyguerrillagirl

Reputation: 5

I had the same problem. I fixed it or verified after clicking on the checkbox "secret base64 encoded" inside the "Verify Signature" panel.

Upvotes: -2

Joel
Joel

Reputation: 1

i had a similar problem like that, i later found out that i was using the wrong secret

Make sure you are using the correct secret

Upvotes: 0

Suresh Prajapati
Suresh Prajapati

Reputation: 4477

If you are using jsonwebtoken lib, I tried and able to create the token and verify as well. Please have a look at the code and let me know in comments if you are still facing the issue.

var jwt = require('jsonwebtoken')

const secret = 'secret';
const token = jwt.sign({
        username: "",
        userID: 1
    },
    secret, {
        expiresIn: "1hr"
    },
    function(err, token) {
        if (err) {
            console.log(err);
        } else {
            console.log(token);
        }
    });

Here is the link of jwt.io where I entered your secret used and it's saying verified.

https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IiIsInVzZXJJRCI6MSwiaWF0IjoxNTI4NTUyMDYyLCJleHAiOjE1Mjg1NTU2NjJ9.raL79zTGONyXgr9vuXzAyMflHJ0JqPYTXsy9KwmlXhA

enter image description here

Upvotes: 20

Related Questions