-3

Generated JWT token is mentioned below. In jwt.io website says "invalid signature" :

"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyTmFtZSI6ImFkbWluIiwiVFRJRCI6IjEyMzQ1NiIsImV4cCI6MTY4Nzc2Mzg3MiwiaXNzIjoic2FtcGxlIiwiYXVkIjoic2FtcGxlIn0.SUHPiDut67KM6LcbzYEF2CCMKiQlB5JMdiqqgIurJHg"

JWT token generation method

private static string generateJwtToken(string username, string password, string TTid)
{
   System.Net.ServicePointManager.ServerCertificateValidationCallback += (se, cert, chain, sslerror)    = { return true; };

     User user = new User();
     user.Username = username;
     user.Password = password;
     user.TTID = '123456';
     var tokenHandler = new JwtSecurityTokenHandler();
     var key = Encoding.ASCII.GetBytes("sample2023TTTTASASA");
     var securityKey = new SymmetricSecurityKey(key);
     var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
     var secToken = new JwtSecurityToken(
     signingCredentials: credentials,
     issuer: "sample",
     audience: "sample",
     claims: new Claim[] { new Claim("userName", user.Username.ToString()), new Claim("TTID", '123456'), },
     expires: DateTime.UtcNow.AddDays(1));
     var handler = new JwtSecurityTokenHandler();
     return handler.WriteToken(secToken);
}
Progman
  • 16,827
  • 6
  • 33
  • 48
Android Guy
  • 7
  • 3
  • Did you add "sample2023TTTTASASA" as your key in the jwt.io website to verify the signature? – risto Jun 25 '23 at 12:38
  • When I enter random number as a key then also it says valid signature. I am expecting when key entered then only it should say valid signature – Android Guy Jun 25 '23 at 16:05
  • *When I enter random number as a key then also it says valid signature* - you should also notice, that the signature part of the token on the left side changed. The signature was recalculated and verified with the wrong secret. Read here how to verify a token in the correct way: [jwt.io says Signature Verified even when key is not provided](https://stackoverflow.com/a/69862239) – jps Jun 26 '23 at 07:38
  • Aside from that, the question is a duplicate of https://stackoverflow.com/search?q=jwt.io+invalid+signature (and many other almost identical ones) – jps Jun 26 '23 at 07:40

1 Answers1

1

I think your token is OK. You just need to specify the key you used to sign the token with in the jwt.io page in the 'your-256-bit-secret' input box in 'Verify signature' part. So put 'sample2023TTTTASASA', it works.

Reason:

JWT token's signature is generated as a combination of header + payload + signing key.

Header is the first part of the token to first dot, in this case 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9'.

Payload is the second part - the part between dots eyJ1c2VyTmFtZSI6ImFkbWluIiwiVFRJRCI6IjEyMzQ1NiIsImV4cCI6MTY4Nzc2Mzg3MiwiaXNzIjoic2FtcGxlIiwiYXVkIjoic2FtcGxlIn0. This part contains the actual claims.

Third part is the signature and it is generated with use of a specific algorithm, e.g. HMAC SHA256 with a signing key, in this case 'sample2023TTTTASASA' and this you need to specify on the page.

Andrea
  • 24
  • 3