1

I wanted to know how I can validate HTTP messages with JWS Detached. Currently, I am receiving x-sign-jws request in header which looks like below

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..UXwjHxU3tFlrzPMupG04zROiEcHFQpCg3l7J4Axr1fE

I need to verify this at my end whether the request is right or not using my secrete Key

Ex: 12345678

I am using firebase/jwt and tried below code

$hed = getallheaders();
$recievedJwt = $hed["X-Sign-Jws"];
$decoded = JWT::decode($recievedJwt, $secret_key, array('JWT','HS256'));```

but I am not getting any result.

I searched on net I found the article which mentioned below steps:

Validation HTTP message with JWS Detached: a) Get the HTTP header "x-sign-jws", b) Get BASE64URL HTTP body c) Put generate string b) into the Payload section d) Validate JWS

But I am confused with how to get Base64URL HTTP body

Any help would be greatly appreciated since there are only a few articles available on this topic.

jps
  • 20,041
  • 15
  • 75
  • 79
Lavkush Tari
  • 65
  • 1
  • 4

1 Answers1

1

JWS format is base64url(header).base64url(payload).base64url(signature), note the dot delimiter between 3 components.

Detached JWS still contains 3 components but the payload is removed and provided elsewhere, usually the payload is provided in the HTTP Body.

To verify detached JWS, you need to add base64url encoded payload to the detached JWS. The payload is available from your HTTP Body.

For example;

x-sign-jws = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..UXwjHxU3tFlrzPMupG04zROiEcHFQpCg3l7J4Axr1fE

//split x-sign-jws into array using delimiter .
    
x-sign-jws-attached = x-sign-jws-split[0] + '.' + base64Url(HTTPRequest.Body) + '.' + x-sign-jws-split[1]

Now you can verify x-sign-jws-attached as shown below;

$decoded = JWT::decode($x-sign-jws-attached, $secret_key, array('JWT','HS256'));```
Dharman
  • 30,962
  • 25
  • 85
  • 135
Gigi Mathew
  • 215
  • 2
  • 6