1

Background Context

I have two local APIs one API is created using Express and Node.JS, This is called my Auth API and another API Created using C# .NET 6 this will be used for adding blog posts. I will call this API 2 for the purpose of this post.

API 2 has an endpoint called "Signin" this sends a request over to the Auth API and if the login is a success the Auth API sends back a response about the user and a JWT token this was signed and created using the npm package https://www.npmjs.com/package/jsonwebtoken.

the JWT returned is this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRhdGFiYXNlam9lIn0.eyJpZCI6IjYyMWEzOWFiNTUwMGE1NjA5NzI1MTIwMCIsImVtYWlsIjoiam9lQGRhdGFiYXNlam9lLmNvbSIsImlhdCI6MTY0NzMzODk0MSwiZXhwIjozMjk0NjgxNDgyLCJhdWQiOiJkYXRhYmFzZWpvZSIsImlzcyI6ImRhdGFiYXNlam9lIiwic3ViIjoiZGF0YWJhc2Vqb2UifQ.SVNpwte2R9lVjHqUlrM7syphcKGgSOsBxhduwHCDnq4

The Problem

the problem is that API 2 when trying to validate the token is complaining about "'IDX10516: Signature validation failed. Unable to match key:"

the code for this is:

   public void validateJwt(HttpContext context, string token)
    {
        try
        {
            var tokenHandler = new JwtSecurityTokenHandler();
            var key = Encoding.ASCII.GetBytes("databasejoe");
            tokenHandler.ValidateToken(token, new TokenValidationParameters
            {
                ValidateIssuerSigningKey = false,
                IssuerSigningKey = new SymmetricSecurityKey(key),
                ValidateIssuer = false,
                ValidateAudience = false,
                // set clockskew to zero so tokens expire exactly at token expiration time (instead of 5 minutes later)
                ClockSkew = TimeSpan.Zero
            }, out SecurityToken validatedToken);

            var jwtToken = (JwtSecurityToken)validatedToken;
            var userId = int.Parse(jwtToken.Claims.First(x => x.Type == "id").Value);
        }
        catch (Exception ex)
        {
            // do nothing if jwt validation fails
            //https://stackoverflow.com/questions/38725038/c-sharp-how-to-verify-signature-on-jwt-token

        }

What I have Checked

I have confirmed that the Auth API and API 2 both have the correct signing key, to keep things simple and for local testing I am using the signing key "databasejoe".

researched google and refactored my code to no avail.

Outcome

The outcome that I am trying to achieve is to have API 2 validate the token that was generated by the Auth API with success.

Your help and advice would be appreciated.

dbjoe
  • 65
  • 9
  • Is `JWT` token received from `API1` is valid? try to verify it in browser by inspecting to network section or using any tools like postman or fiddler. – mabiyan Mar 15 '22 at 10:48
  • Hello JWT is valid as I have confirmed using jwt.io – dbjoe Mar 15 '22 at 12:47

0 Answers0