0

I am trying to create a JWT in PHP which appears to be working but the token is not valid with the app I'm using it for (Metabase).

Here's my code

use \Firebase\JWT\JWT;

$key = "acb...123";
$token = array (
    'resource' =>
        array (
            'dashboard' => 5333
        ),
        'params' => array (),
    );

$jwt = JWT::encode($token, $key);

This gives what looks like a valid result...

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNvdXJjZSI6eyJkYXNoYm9hcmQiOjUzMzN9LCJwYXJhbXMiOltdfQ.xt2AuqbRZeJOQZ17xphCwMsikSaZDvMpG5ecydN6X08

But this is not a valid token for metabase

If I use an online JWT generator (https://www.jsonwebtoken.io/) I get a token (quite a bit longer) which does work but I can't see what's different about it.

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNvdXJjZSI6eyJkYXNoYm9hcmQiOjUzMzN9LCJwYXJhbXMiOnt9LCJqdGkiOiI2MzczMDg4YS1iZmIwLTRmMDQtYWRhNi00ZmY2MzI4ZjJkNDAiLCJpYXQiOjE1NjAzMzQ2NDQsImV4cCI6MTU2MDMzODI0NH0.iMIvyAmemFyMq8QF00xYLdVoSpSnb_PjcrIsRVIE74c

EDIT:

OK, so having decoded the output from the online generator I get this...

stdClass Object
(
    [resource] => stdClass Object
        (
            [dashboard] => 5
        )

    [params] => stdClass Object
        (
        )

    [jti] => c1531882-1ca1-4d7f-a1a2-fc12862d40bc
    [iat] => 1560334984
    [exp] => 1560338584
)

What are the additional bits?

ANOTHER EDIT!

OK, so it seems it was nothing to do with the additional bits

This worked...

$token = json_decode('{
 "resource": {
  "dashboard": 5
 },
 "params": {}
}');

Is it still advisable to include the exp and iat, etc?

Tom
  • 12,776
  • 48
  • 145
  • 240
  • when I decode your tokens (both examples) on https://jwt.io, I get a header with a non-printable character `{ "typ": "JWT", "a�g": "HS256" }` I wouldn't be surprised if this is rejected, but then I would expect both tokens to be rejected. Quite strange... – jps Jun 12 '19 at 10:13
  • I changed the output a little as it contained secret keys... I'll edit so this doesn't break the output. – Tom Jun 12 '19 at 10:15
  • Possible duplicate of [What format is the exp (Expiration Time) claim in a JWT](https://stackoverflow.com/questions/39926104/what-format-is-the-exp-expiration-time-claim-in-a-jwt) – Mike Doe Jun 12 '19 at 10:28
  • the additional bits are the token Id, and the timestamps issued at and expires at – jps Jun 12 '19 at 10:28
  • @emix: that dup doesn't make much sense to me, Tom didn't ask about the format of exp. – jps Jun 12 '19 at 10:30
  • There's an answer what are those "additional bits" and links to a RFC document. – Mike Doe Jun 12 '19 at 10:34
  • in https://tools.ietf.org/html/rfc7519#section-4 you can find the standard claims and their meaning in a JWT – jps Jun 12 '19 at 10:48
  • Indeed this is an annoying side effect from the library. It adds unwanted claims by default which does seem to be needed in that case... – Spomky-Labs Jun 13 '19 at 04:54

0 Answers0