I always get invalid signature when I input the generated token in jwt.io Here is my code for making the token
const secret = 'secret';
const token = jwt.sign({
username: user.username,
userID: user._id
},
secret, {
expiresIn: "1hr"
}
);
What did I do wrong?
I'm using the jsonwebtoken package. https://github.com/auth0/node-jsonwebtoken
TL_DR:
Extract the first key from the keys array in the JSON returned by the https://example.com/.well-known/jwks, and paste it in the first textbox of VERIFY SIGNATURE section of jwt.io page. Of course, example.com is the domain where you hosted your OpenIddict auth server. Could also be something like https://example.com/my/auth/server/.
The whole story:
When you paste the JWT in jwt.io, it does this:
If the step 1. fails to decode the payload, that's because the token is encoded. To solve this problem, modify the OpenIddict config by adding .DisableAccessTokenEncryption();
The step 2, signature validation, is done by getting the issuer iss field from the PAYLOAD section:
and uses it as the base URI to invoke the /.well-known/openid-configuration, which includes the JWKS uri, which looks like
"jwks_uri": "https://example.com/.well-known/jwks"
jwt.io can fail to get this data for example:
https://localhost, which isn't accessible from internet, just like the https://localhost:5001 of this exampleIf this is the case, there is an option to solve the problem: paste the appropriate string in the upper textbox of VERIFY SIGNATURE section, which has this placeholder:
Public key in SPKI, PKCS #1, X.509 certificate, or JWK string format.
What is the right string to paste there? It's easy if you take into account 2 details:
https://example.com/.well-known/jwks endpointSo, invoke the enpoint, get the JWKS which looks like this:
{
"keys": [
{
"kid": "2727AC6EB83977...",
"use": "sig",
"kty": "RSA",
"alg": "RS256",
"e": "AQAB",
"n": "6tSSW3rz53Xj3w...",
"x5t": "Jyesbrg5d_2M...",
"x5c": [
"MIIC9TCCAd2gAwIBAgIJAKL..."
]
}
]
}
and extract the JWK which is simply the first entry in the "keys" array, i.e
{
"kid": "2727AC6EB83977...",
"use": "sig",
"kty": "RSA",
"alg": "RS256",
"e": "AQAB",
"n": "6tSSW3rz53Xj3w...",
"x5t": "Jyesbrg5d_2M...",
"x5c": [
"MIIC9TCCAd2gAwIBAgIJAKL..."
]
}
Paste this value in the textbox, and you'll get the blue "Signature verified" message, as you can see at the bottom of the first snapshot.
NOTE: depending on the configuration (AddEphemeralSigningKey(), AddDevelopmentSigningCertificate(), etc.), the JWKS keys can have more or less properties, but it should work anyway.
If you are using jsonwebtoken lib, I tried and able to create the token and verify as well. Please have a look at the code and let me know in comments if you are still facing the issue.
var jwt = require('jsonwebtoken')
const secret = 'secret';
const token = jwt.sign({
username: "",
userID: 1
},
secret, {
expiresIn: "1hr"
},
function(err, token) {
if (err) {
console.log(err);
} else {
console.log(token);
}
});
Here is the link of jwt.io where I entered your secret used and it's saying verified.
In my case, I forgot to put my secret keys in "VERIFY SIGNATURE" (Right hand side, after "HEADER" and "PAYLOAD" boxes). Empty secret key in jwt.io doesn't show any error to user as of May 2023, while checking their token validation - most users get this error of Invalid Signature. Make sure to put the secret key string after:
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), enter_here_your_secret_key)
i had a similar problem like that, i later found out that i was using the wrong secret
Make sure you are using the correct secret
In my case, jwt.io was failing to retrieve my public keys (as described above) because my server wasn't returning CORS headers to allow a frontend JavaScript app like jwt.io to access the proper endpoints.
I had the same problem. I fixed it or verified after clicking on the checkbox "secret base64 encoded" inside the "Verify Signature" panel.
