1

I have to create a JWS signature and the JOSE header has to look like this :

{
  "alg": "HS256",
  "kid": "V3vEe66RJm85eD72",
  "b64": false,
  "http://openbanking.org.uk/iat": 1501497671,
  "http://openbanking.org.uk/iss": "C=UK, ST=England, L=London, O=Acme Ltd.",
  "crit": ["b64","http://openbanking.org.uk/iat","http://openbanking.org.uk/iss"]
}

Where do I have to put this header in jwt.io website or does someone know other good sites for creating jws signature? The problem is, that when I change the header which is by default there in jwt.io with the header type provided by the documentation it says in jwt.io at the bottom "Invalid Signature" , why ?

jps
  • 20,041
  • 15
  • 75
  • 79
juniordevjim
  • 47
  • 6
  • Did you get the x-jws-signature header to work? I'm using Java and am successfully signing and verifying the signature in my program but the OB server returns that it can't verify the signature. – DjangoDev1 Jan 07 '21 at 22:24

1 Answers1

2

You can add the header into the "HEADER" section in the right column of the jwt.io debugger.

Then you add a secret in the field under "VERIFY SIGNATURE" and get a token. Your JOSE Header contains a crit claim, which leads to a "Invalid Signature":

The "crit" (critical) Header Parameter indicates that extensions to this specification and/or [JWA] are being used that MUST be understood and processed. Its value is an array listing the Header Parameter names present in the JOSE Header that use those extensions. If any of the listed extension Header Parameters are not understood and supported by the recipient, then the JWS is invalid.

The signature itself is fine, it's just the critclaim, that causes an invalid signature error. As soon as you have a crit claim with a non empty list, the verification fails on jwt.io.

You can verify the resulting token

eyJhbGciOiJIUzI1NiIsImtpZCI6IlYzdkVlNjZSSm04NWVENzIiLCJiNjQiOmZhbHNlLCJodHRwOi8vb3BlbmJhbmtpbmcub3JnLnVrL2lhdCI6MTUwMTQ5NzY3MSwiaHR0cDovL29wZW5iYW5raW5nLm9yZy51ay9pc3MiOiJDPVVLLCBTVD1FbmdsYW5kLCBMPUxvbmRvbiwgTz1BY21lIEx0ZC4iLCJjcml0IjpbImI2NCIsImh0dHA6Ly9vcGVuYmFua2luZy5vcmcudWsvaWF0IiwiaHR0cDovL29wZW5iYW5raW5nLm9yZy51ay9pc3MiXX0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.QrI016I1j2kKE-cth3xr8O5DUOLOrL-biUfkuVZb_Xo

(created with the secret "secret") on https://www.jsonwebtoken.io/ and see that it can be verified. This website seems not to care about the crit header and checks only based on the hashing. (note: this website doesn't show the correct header and payload of your token after decoding)

Generally you should not take these online tools too serious. They're meant for testing and educational purposes, but not as a production tool.

Community
  • 1
  • 1
jps
  • 20,041
  • 15
  • 75
  • 79
  • How can i put the header in site https://www.jsonwebtoken.io/ ? How can i delete the header that is by default there ? – juniordevjim Oct 12 '20 at 06:31
  • seems not to be possible – jps Oct 12 '20 at 07:39
  • I have to create with the RS256 algorithm , works the same way ? – juniordevjim Oct 13 '20 at 08:20
  • 1
    @juniordevjim yes, at least you can create a RS256 signed token on jwt.io. You need to provide the private key for the signature. But jsonwebtoken.io seems not to be able to deal with anything else but HS256. – jps Oct 13 '20 at 09:23
  • 1
    @juniordevjim But instead of dealing with these websites, why don't you write a few lines of nodes.js/javascript, python or whatever suites you best code? It's quite easy and flexible. – jps Oct 13 '20 at 09:30