0

I am trying to decode a JWT token string entered by a user and verifying the signature, I am using the io.jsonwebtoken library. I got the "key" by using the "openssl rand -base64 32" command in my terminal. I am currently using "http://jwtbuilder.jamiekurtz.com" to compute the header and payload. I then enter my "key" in the Key field in the jwtbuilder website as shown in the picture in the link below:

jwtbuilder.com with desired header, payload and signature

This is the output when I run the code:

Output of code

package com.okta.developer;

    import io.jsonwebtoken.*;
    import io.jsonwebtoken.security.Keys;

    import java.util.Base64;
    import java.util.Scanner;

    public class JWTexercise
    {
        public static void main(String [] args)
        {
            Scanner input = new Scanner(System.in);

            byte[] key = Base64.getDecoder().decode("b8SwFJZVgo+S5Cuhf5LWUeXpHxDm5mp30GCuQHX2TpY=");

            System.out.println("Enter your JWT token: ");
            String jwtString = input.nextLine();

            Jws<Claims> jws;

            try
            {
              // we can safely trust the JWT

                jws = Jwts.parser()         // (1)
                      .setSigningKey(Keys.hmacShaKeyFor(key))        // (2)
                      .parseClaimsJws(jwtString); // (3)

                System.out.println("The decoded JWT token id listed below:");
                System.out.println(jws);
                System.out.println();
                System.out.println("The signature is verified!");

            }
            catch (JwtException ex)
            {    
                System.out.println("Cannot trust JWT because the signature is not verified!");
                // we *cannot* use the JWT as intended by its creator
            }

        }


    }
cjpayan
  • 1
  • 1
  • NOTE: This thread started in a YouTube comment: https://www.youtube.com/watch?v=O-sTJbeUagE&lc=UgwfdUOlm0VmoMga1pJ4AaABAg – Brian Demers Jan 30 '20 at 00:53
  • Your catch block is preventing the stack trace from getting printed. You can remove the try/catch block and you will see the full exception (and get a non-zero exit status) – Brian Demers Jan 30 '20 at 00:55

1 Answers1

0

My guess is that the key you are using to create the token is NOT the same when validating the token.

openssl rand -base64 32 should create a random key, but it is unlikely those characters are printable. It looks like http://jwtbuilder.jamiekurtz.com/ uses the key directly entered into the text field, and does NOT base 64 decodes it first. I've never used that site, so this is just a guess.

This essentially means one of the keys is:

byte[] key = Base64.getDecoder().decode("b8SwFJZVgo+S5Cuhf5LWUeXpHxDm5mp30GCuQHX2TpY=");

and the other is:

byte[] key = "b8SwFJZVgo+S5Cuhf5LWUeXpHxDm5mp30GCuQHX2TpY=".getBytes()

The first option is a better practice, but I'm guessing when you this website, you would want to use the second option.

Brian Demers
  • 2,051
  • 1
  • 9
  • 12