Invalid JWT signature

A Former User · 19 Sept 2022, 07:05

Hi folks,

We use the endpoint /oauth2/token and we receive the tokens. We copy paste the tokens in jwt.io to check signature validity (we also copy paste the secret). Strangely enough

access_token seems to have an invalid signature
id_token seems to have a valid signature

Is this normal ? We would like to use the access_token because it contains user roles. The automatic JWT token validation built in Asp.net Core rejects it.

Kind regards

joshua · 23 Sept 2022, 21:42

@lionel-selosse

Thanks for the question!

If you are accessing our token endpoint and asking for a token, and have an invalid signature - there could be a few causes. It may be related to how you are checking the signature. There are a few ways to do this if using a third-party library to validate a signature and there is room for error -- as I have experienced myself

I was able to take the client secret (from the OAuth configuration screen Applications > Your App > OAuth tab) and validate a recently generated access token using the following curl command

curl --request POST \
  --url https://local.fusionauth.io/oauth2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=authorization_code \
  --data client_id=<your_client_id> \
  --data client_secret=<your_secret> \
  --data code=<your_auth_code> \
  --data redirect_uri=http://www.google.com

JWT.io verified the signature as valid:

One thing to confirm is if you are on the latest version of FusionAuth.

Aside from that, please feel free to log an issue below with the details of your bug.

https://github.com/FusionAuth/fusionauth-issues/issues/new/choose

Thanks,
Josh

A Former User · 26 Sept 2022, 08:17

Hi @joshua thanks for the feedback.

Regarding the client secret, the one I use starts with Q9 and ends with dA . It's the one for delta-dev application. Are we using the same ?

I don't understand your remark regarding latest version of FusionAuth. This service is on the cloud right ? You are updating it, no ? It's not on premises AFAIK ? I see in the menu "FusionAuth version 1.28.1" . Is this the latest version ? If not, how should we upgrade ?

If you prefer to create an issue instead of talking on this forum, l can create a ticket.

Thanks

A Former User · 26 Sept 2022, 11:21

Forget my answer above. I just realize we use FusionAuth on premises and not on the cloud. We will see how we can upgrade our old version.

joshua · 28 Sept 2022, 15:52

@lionel-selosse

I don't understand your remark regarding latest version of FusionAuth

This was only to indicate that if you are on an older version of FusionAuth, then the fix might be to upgrade to a newer version, especially if the release notes indicate that a fix may have been implemented.

Thanks,
Josh

joshua · 28 Sept 2022, 15:54

@lionel-selosse

We have a section in our documentation that covers upgrading which you may find helpful as well.

https://fusionauth.io/docs/v1/tech/admin-guide/upgrade

Thanks,
Josh

A Former User · 8 Nov 2023, 09:14

Thanks @joshua I'll transmit the link to our infra team. Hopefully upgrade will happen soon. Currently we use version 1.28.1, from one year ago. Do you think upgrade could affect JWT signatures ?

neuerloyed · 18 Oct 2023, 03:25

This post is deleted!

larsenlola06 · 8 Nov 2023, 09:14

This post is deleted!