1

I came across a "Bearer" Authentication in the header of a HTTP request (I want to understand an API) that I want to replicate.

This is the header field:

authentication : Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9eyJhdXRoX3Rva2VuIjoiNzgzYmFjNjA5MmRmIiwiaWQiOjgxLCJpc3N1ZWRUaW1lIjoxNjYzMjM2MDY2LjU5Mn0=.ue-WEprMVaRe7-weCxqZ8UHq7KR5XufhEliAzAsDM03

I understand that the first part after the word "Bearer", up to the dot, is a base64 encoded json with a token (that I have) and some meta information. But I cannot make sense of the part after the dot. What kind of encoding is this? When I send the request I get a message telling be that the JWT is invalid:

{"message":"Unauthorized call: Invalid JWT","data":{"message":"auth_check_fail"},"code":401}

Any help is much appreciated.

tzippy
  • 113
  • 4
  • According to https://www.rfc-editor.org/rfc/rfc7519 the part after the dot is the HMAC SHA-256 of the JWS payload. – tzippy Sep 15 '22 at 13:08

1 Answers1

2

The key for you answer is JWT. It's a standard used for "representing claims securely between two parties." (cit.) It's made so that you can exchange messages in plain text (actually base64 encoded json) being sure nobody tampered with the message.

As suggested in a comment to your question the last part is the HMAC using SHA256 hash which is used to verify the integrity of the token.

If you haven't tampered with it in other ways, the validation problem might be because of a missing . (dot) after the first part declaring the algorithm of your JWT

Try adding it after eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

your Bearer should look like:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRoX3Rva2VuIjoiNzgzYmFjNjA5MmRmIiwiaWQiOjgxLCJpc3N1ZWRUaW1lIjoxNjYzMjM2MDY2LjU5Mn0=.ue-WEprMVaRe7-weCxqZ8UHq7KR5XufhEliAzAsDM03

If you want to replicate the APIs you'll need your own authentication (those JWT uses a shared secret between the one that generated the message and the one verifying it), you can't use the tokens generated by the APIs you are trying to replicate.

If you want to use the APIs with a library written by you, then you can copy and paste that bearer that they gave you (they should have gave you the bearer with the .)

Luca Ricci
  • 65
  • 1
  • 6
  • Yep, I consider this similar to the PAC in Kerberos (Privileged Access Certificate, a bad name for entitlements/groups/roles). – Greg Askew Sep 15 '22 at 19:52
  • Thank you! by now I know quite a bit about jwt. I got to the point where I'm stuck because I am missing the secret key that the App which is using the API is sharing with the API. Since it's not a public API and I could not reverse engineer the secret from the .apk I guess I'm lost. But I learned a lot, so thanks again! – tzippy Sep 17 '22 at 11:19