Invalid signature when trying to verify JWT

Question

I have a JWT with the secret key :

private final static Algorithm ALGORITHM = Algorithm.HMAC256("secret");


public String createToken(@NonNull String username) {

       
        Timestamp timestamp = Timestamp.from(Instant.from(ZonedDateTime.now(ZoneId.of("Z"))));
        Timestamp expTime = Timestamp.from(Instant.from(ZonedDateTime.now(ZoneId.of("Z")).plusMinutes(10))); 

     

     try {
            String token = JWT.create()
                    .withIssuer("auth0")
                    .withClaim("username", username)
                    .withClaim("time", timestamp).withExpiresAt(expTime) 
                    .sign(ALGORITHM);
            return token;

and the verify method:

public DecodedJWT verifyToken(String token) {

        DecodedJWT decodedJWT = JWT.decode(token);

        try {
            JWTVerifier verifier = JWT
                    .require(ALGORITHM)
                    .withIssuer("auth0")                    
                    .build();
            DecodedJWT jwt = verifier.verify(token);
            return jwt;


        } catch (JWTVerificationException exception) {
            System.out.println("token not verified");
        }

My problem is that the token returned from the method has an invaild signature as by https://jwt.io/ . Also the verify method is not working because of that. I read some blogs in which they said that you have to encode your secret, so I tried it like this:

private final static   Algorithm ALGORITHM = Algorithm.HMAC256(Base64.getEncoder().encodeToString("secret".getBytes()));

but it didnt work the signature was also invalid. Has anyone an idea on how can I fix that?

Thanks in advance

regarding jwt.io: you probably did not provide the secret there, so jwt.io can't verify. See [here](https://stackoverflow.com/questions/69862105/jwt-io-says-signature-verified-even-when-key-is-not-provided/69862239#69862239) how to do it. And in your verify method I also don't see the secret anywhere. Generally for verification the verifying function needs to know the secret (or public key in case of asymmetric algorthms). And please also show the token here. — jps, Jan 20 '22 at 12:54
thx for the jwt.io tip but how do I pass my secret in the verify method? — Okabe, Jan 20 '22 at 13:02
did it work now on jwt.io? And can you please show your token here? What jwt library do you use? — jps, Jan 20 '22 at 13:12
on jwt.io it worked but my verify method didnt work here my token : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhdXRoMCIsInRpbWUiOjE2NDI2ODQ0NzAsInVzZXJuYW1lIjoidXNlcm5hbWUifQ.Gn4ZGjMYBfEqJwJ7cI8hcd1NLgkRp5e7LieezKsSvo0 — Okabe, Jan 20 '22 at 13:17
what is the actual exception in `catch (JWTVerificationException exception)`? In your code you ignore it and just print a generic error. — jps, Jan 20 '22 at 13:31
com.auth0.jwt.exceptions.InvalidClaimException: The Claim 'username' value doesn't match the required one. — Okabe, Jan 20 '22 at 13:38
I fixed the username issue but now I got the exception: com.auth0.jwt.exceptions.TokenExpiredException: The Token has expired on Thu Jan 20 14:44:07 CET 2022. — Okabe, Jan 20 '22 at 13:45
strange, actually your token doesn't have a proper expiration time. You use "time", but for expiration the correct claim name is "exp". Try setting "exp" instead of time and see if it works. — jps, Jan 20 '22 at 13:50

Invalid signature when trying to verify JWT

0 Answers0