SignatureException:JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted

Question

I am using https://github.com/auth0/java-jwt to create a jwt token and sign into that in client side using a secret that has been published by the server which uses https://github.com/jwtk/jjwt.

I am getting this error message consistently. (SignatureException:JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.)

Here is code snippet

def createJWT(secret: String = config.secret,
              issuer: Option[String] = Some(config.issuer)): String = {
  val jwtSigner = new JWTSigner(encodeSecret(secret))
  val claims: Map[String, AnyRef] = ListMap.empty[String, AnyRef] ++
//    issuer.map("iss" -> _) ++
    Some("exp" -> jLong.valueOf(expiry.getTime/1000)) ++
    Some("orgId" -> config.orgId)
//    Some("admin" -> java.lang.Boolean.TRUE) ++
//    Some("sub" -> config.subject)
  jwtSigner.sign(claims.asJava)
}

`encodeSecret(secret)` - what kind of encoding is that, and why do you encode it? — jps, Sep 14 '21 at 14:14
It is encoding to base64. It is considered a safe practice to encode it. Also inside the library(java-jwt), the secret is decoded. — sliceh, Sep 15 '21 at 04:28

SignatureException:JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted

0 Answers0