-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"JsonWebTokenError: invalid signature" when verifying JWT signed with Java JWT #208
Comments
I'd love to give you a hand with this. Would you be able to provide an example token and the secret you used to sign it so I can take a look. With what you've provided, hard to say - from looking at jjwt your example should be throwing since |
hum, the base64 issue sounds like a good lead, but I couldn't verify the signature with the secret encoded in base64 like this: |
I'm having the same problem with these libraries. I used the debugger at jwt.io to decode it, which gave the option to provide the secret as base64 - which worked on the debugger, but not in my program. However, I couldn't get the debugger to work with your values, @nodje |
Did anyone get a solution to this yet? I am signing the JWT in Java (io.jsonwebtoken) and trying to "unsign" using this npm library in a separate node.js app. As already mentioned by others, the token decodes fine, so obviously the data has not been corrupted - it just seems that the sign/unsign procedures do not match up. |
@DaleWebb @michaelcbarr would either of you be able to provide some actual code you're trying to do this with? |
no problem - this was borrowed form a tutorial - can't find the link but will credit if I find it :D
The token is created in Java with code similar to this:
|
@michaelcbarr Might you be able to provide the java code where you're signing? |
added above! |
NB: I have tried SignatureAlgorithm.HS256 but makes no difference |
@michaelcbarr No, I haven't found a solution to this |
private static String generateToken(Account account, App app) {
return Jwts.builder()
.setSubject(account.getId())
.claim("app_id", app.getSlug())
.setExpiration(new Date(new Date().getTime() + TOKEN_LIFETIME))
.signWith(SignatureAlgorithm.HS512, PersonaApplication.getSecret())//the secret is a String, not base64 encoded.
.compact();
} |
@michaelcbarr If I cannot get a solution before we have to ship the feature, I'm going to create a route on the gateway that creates the token to give the information back. |
@nodje @DaleWebb @michaelcbarr I'm not going to take the time to dig into exactly what the java library is doing by default (I don't work with Java usually, needed to install Eclipse and figure and Maven and things :)). However, the issue is the string secret. By calling package jwt_test.foo;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.io.UnsupportedEncodingException;
import java.util.Date;
/**
* Hello world!
*
*/
public class App
{
private static String SECRET = "HelloWorld!";
public static void main( String[] args ) throws UnsupportedEncodingException
{
System.out.println( makeToken() );
}
private static String makeToken() throws UnsupportedEncodingException {
return Jwts.builder()
.setSubject("foo")
.claim("bar", "baz")
.signWith(SignatureAlgorithm.HS512, SECRET.getBytes("UTF-8"))
.compact();
}
} 'use strict';
const JWT = require('jsonwebtoken');
const SECRET = 'HelloWorld!';
const JAVA_JWT = 'eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJmb28iLCJiYXIiOiJiYXoifQ.1MOXGiwGTFLU7-YMvOe2_q2ZRUHAMCVS7pbnOkRKCFV1HIvY8odBaqWVCQRuT2RUbKtGgA2elFRsuka4K1KP7A';
JWT.verify(JAVA_JWT, SECRET, { algorithms: ['HS512'] }) |
AWESOME WORK! I can confirm that this works perfectly for me - just need to remember to convert the SECRET string to bytes on Java verify method.
(Also need to catch the UnsupportedEncodingException!) Think I would still be scratching my head next month without your help - thanks again @omsmith ! Mb |
Great! I can confirm that this solution works too. |
An author of JJWT here... FWIW, cryptographic signatures are always computed with byte array keys - never strings. You can get the UTF-8 bytes of a String as demonstrated above, but that only masks what could be a very problematic cryptographic weakness (I'm not saying those in this thread are experiencing that weakness - I'm just raising that this could happen to anyone that might not understand what is going on). Digital signature keys (again, byte arrays), should ideally never be based on simple strings like 'my secret' or 'my password'. Or, at the very least, if a simple password should be used as a signing key, it is almost always better to send it through a key-derivation algorithm (like PBKDF2) and then use that resulting output as the signature key. This ensures sufficient cryptographic entropy (randomness) that short, human-readable strings don't (and which are therefore risky). Signing keys should ideally always be:
Number 2 is why JJWT provides the SecretKey key = MacProvider.generateKey(SignatureAlgorithm.HS256);
String base64Encoded = TextCodec.BASE64.encode(key.getEncoded()); This is why JJWT expects Base64 by default - because if you do these best practices, you'll always end up with a byte array key (e.g. Finally, note that That means that HTH! |
I'm having a similar issue. I'm generating a key elswhere, and trying to validate it using this library. It validates fine in other services using libraries from different languages. EDIT: Just figured it out. Passing |
The solution @mgkeen provided in his edit worked for me. If this is the appropriate thing to do can someone update the documentation? i.e. var tokenDecoded = jwt.verify(token, new Buffer(MYSECRET, 'base64'), function(err, decoded) { |
Still getting this error when trying the following: var user = { username: 'batman' };
// Signing the token
var token = jwt.sign( user, 'ThisStringIsASecret' );
// Generated token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImJhdG1hbiIsImlhdCI6MTQ4NTM3MTc0MywiZXhwIjoxNDg1Mzc1NzQzfQ.nxFDJGNnEvx4wDwcPk0puvcvtJArm2MxpZc4bn0XrSs
// Verifying the token
jwt.verify( token, new Buffer( 'ThisStringIsASecret', 'base64' ), function ( err, decoded ) { /**/ }); |
@DmanDman are you signing your token just like that? You should use |
This is deprecated, is there's an update here? Thanks |
@ralphgabrielle assuming the latest stable JJWT version, which is 0.10.7 at the time of writing, you can do: public class App {
// Note that 'HelloWorld' is not a valid JWT signing key per the JWA RFC's
// key strength requirements. For why, read this for more information:
// https://stackoverflow.com/a/40274325/407170
// Change this to something else or derive a key using PBKDF2
private static String SECRET = "HelloWorld!";
public static void main( String[] args ) throws UnsupportedEncodingException {
System.out.println( makeToken() );
}
private static String makeToken() throws UnsupportedEncodingException {
Key key = Keys.secretKeyFor(SECRET.getBytes(StandardCharsets.UTF_8));
return Jwts.builder()
.setSubject("foo")
.claim("bar", "baz")
.signWith(key)
.compact();
}
} |
Thanks, big help. That worked. |
auth0/node-jsonwebtoken#208 (comment) 자바와 nodejs의 jwt토큰 호환성 에러해결
* . * update aws context * update .env * encrypt .env && google_key * add enviroment tar file * update apollo server context base64 encoding update * . * . * . * jwt verify update auth0/node-jsonwebtoken#208 (comment) 자바와 nodejs의 jwt토큰 호환성 에러해결 * . * . * . * update traivs * update travis.yml * update aws credencial * remove directives * update .env in private.tar.enc * terraform add i_am_role cloudwatch for lamdbda * update terraform.tf * . * . * . * update mutation * update mutation * update lambda loadbalancer * update terrform * . * . * . * . * before merge
Hi, I have 2 rest API in springboot project
I am able to generate token using /authenticate POST API but when I validate the token on https://jwt.io/ it says Invalid Signature Generated Token: eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJmb28iLCJpYXQiOjE2MTY1MDk3NzIsImV4cCI6MTYxNjU0NTc3Mn0.DFSrZv9mDVnxWGBLP8KOQa0i8lBDJN2SHNZpGmYSsNL1-EhUXj3X1Jx0YrPuxGxwEfpBvNzs01AYKQ_DZUGkiQ Also when I try to use this token as bearer and call /test GET API, it says status: 403, Forbidden Here is the code snippet // Here I am trying to remove spring security from /authenticate API but should apply on /test private String createToken(Map<String,Object> claims, String subject)
} Can anyone suggest what could be wrong here. |
@send2harishsharma , |
any one work in RFC7797 using node js please guide me |
Doesn't work with RS256 :-( (PS: I am using Scala 2.13) Tried all that's mentioned above:
But this fails with: Can someone please help? |
I use https://github.com/jwtk/jjwt to encode and sign a token as follow:
then decode in node.js as follow:
and get the error:
Using
jwt.decode
I get the token content without problem.Am I doing something wrong?
The text was updated successfully, but these errors were encountered: