0

I'm trying to varify a jwt in java, I have used similar code to this post: Java - Auth0 JWT Verification - Is this correct?

    public void parseJWTKey(HttpHeaders header)
    {
        try
        {
            Jwk jwk = getPublicKey(); //method to retrieve public key from auth server (identity server)

            RSAPublicKey publicKey = (RSAPublicKey) jwk.getPublicKey();

            Algorithm alg = Algorithm.RSA256(publicKey, null);
            JWTVerifier verifier = JWT.require(alg)
                    .withIssuer("auth0")
                    .build();

            String headerString = header.toString();
            String parsedHeader = headerString.substring(headerString.indexOf(" "), headerString.lastIndexOf("\""));

            DecodedJWT dJwt = verifier.verify(parsedHeader);
        }
        catch(JWTVerificationException | JwkException | NullPointerException a)
        {
            a.printStackTrace();//TODO: Logging
        }
    }

but am getting the error: com.auth0.jwt.exceptions.SignatureVerificationException: The Token's Signature resulted invalid when verified using the Algorithm: SHA256withRSA I have also seen this post: com.auth0.jwt.exceptions.SignatureVerificationException: The Token's Signature resulted invalid when verified using the Algorithm: SHA256withRSA but I am not using HMAC256.

Although I can get the jwt:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjdjNDM5MmMxMDA1MGJiN2E2MDYwMTVlMTk0MTNkOWMxIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NzE2NTU3NzEsImV4cCI6MTU3MTY4NDU3MSwiaXNzIjoiaHR0cDovLzE5Mi4xNjguMTAwLjEwMTo1MDU1IiwiYXVkIjpbImh0dHA6Ly8xOTIuMTY4LjEwMC4xMDE6NTA1NS9yZXNvdXJjZXMiLCJjbGFpbXNhcGkiXSwiY2xpZW50X2lkIjoicm8udGVzdGNsaWVudCIsInN1YiI6IjEiLCJhdXRoX3RpbWUiOjE1NzE2NTU3NzEsImlkcCI6ImxvY2FsIiwic2NvcGUiOlsib2ZmaWNlIiwib3BlbmlkIiwicHJvZmlsZSIsImNsYWltc2FwaSJdLCJhbXIiOlsicHdkIl19.oK4Cg2laKUgdAHpyZ3yB7bVlgdHevhkzQMn47wnQPbvc04GME90wXScHxTSNkgtTPnuXK_t-ddyPYrxOZFnHPfDr9PLTjDXilLF90Ga91a4khFvRqvTqRwXAnpsamAsBdXZoybkbQ8c_x7kPua5NwN13AJU_cL37tSuor4ujYIJ9McLdQDLIBhD7b76QAMF2UkstFG_oPUSwycot-18zuaB97K4b5X-rO-j2DfEy15caRmMGxX-1c4EMw4T4pxHkQc4WVumA0C2nsCufJ1ZyZ74bcebRTTbb9y__QDvekGa1vfUYG6Pon7q83gQVWiH580vwiH60rrICjl9fNK4hmQ

I am unable to access the private key to check the signature on jwt.io as it is held on an identity server instance which is not under my control, however with my limited knowledge of oauth I believe this not to be the problem.

Boots
  • 43
  • 2
  • 9
  • you should change .withIssuer("auth0") to your real issuer "http://192.168.100.101:5055" – Iurii Drozdov Oct 22 '19 at 08:53
  • Thankyou, I have changed it but I'm still getting the same error. – Boots Oct 22 '19 at 09:27
  • Is this the same issue as here: https://stackoverflow.com/questions/48750417/token-signature-invalid-error – Dan Woda Oct 25 '19 at 22:12
  • Yes it is. I have sorted it now though. Originally the key in my program comes from header files and when i was parsing it, there where spaces left either side. A rookie error I think. – Boots Oct 29 '19 at 18:20
  • For me it was a mismatch in my jwksUrl and access token URL. Jwks URL is the one used for verifying the public keys and access token URL is from where you request the token , they both need to belong to same environment. In my case I was getting the token from stage environment but my spring security code was trying to verify the token with jwksUrl which was pointing to dev environment. – Shrikant Prabhu Feb 25 '21 at 08:16

0 Answers0