• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Manually verifying a JWT

Scheduled Pinned Locked Moved
Q&A
5
17
12.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    raghebmichael
    last edited by 11 Jul 2020, 19:52

    I have an access token that is signed by a HS256 signing key. When I go to my rails backend and use the JWT library to decode it and verify it is a valid token signed by FusionAuth it is return Signature Verification Error. Am I doing something wrong?

    This is my rails code to decode and verify that the JWT is valid:

    JWT.decode(access_token, signing_key, true)
    

    This is my default signing key (Yes I know it is insecure to share this, but it's a dev server not production and I will change it after this):

    b17514fc-6af5-46d5-ac50-c9c31e24c3d5-image.png

    (Signing key in text): 1c8e490a-4972-7d73-8935-06621a0a6441

    And here is an example JWT that was issued:

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjllZDRjNjc1NCJ9.eyJhdWQiOiI5MzgwZDJjNi1jNDM1LTRlZWMtYTg5Ny05ZWM5ZDA4NGJjZTgiLCJleHAiOjE1OTQ0ODk5NTMsImlhdCI6MTU5NDQ4NjM1MywiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIxMzUyOWVkZi05NjFlLTRkM2EtODE3Ny1hMmYxN2NmNTU0YjEiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQQVNTV09SRCIsImVtYWlsIjoibXNyYWdoZWJAdWNpLmVkdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJyb2xlcyI6WyJTZXJ2YW50Il0sImFwcGxpY2F0aW9uSWQiOiI5MzgwZDJjNi1jNDM1LTRlZWMtYTg5Ny05ZWM5ZDA4NGJjZTgiLCJwZXJzb25faWQiOjF9.aKajyZmIWe0d0ijoV2oTpxVUeQpOieaV5C80SoLqCrA
    

    I don't know how to further debug this. Any help appreciated, thank you.

    1 Reply Last reply Reply Quote 0
    • D
      dan
      last edited by dan 7 Nov 2020, 20:08 11 Jul 2020, 20:07

      Hiya,

      Here's an example library of decoding JWTs: https://github.com/FusionAuth/fusionauth-example-ruby-jwt

      Code based on this seems to work with your payload:

      require 'jwt'
      
      hmac_secret = '1c8e490a-4972-7d73-8935-06621a0a6441'
      
      exp = Time.now.to_i + (5*60)
      iat = Time.now.to_i + (0*60)
      
      payload = {
        "aud": "9380d2c6-c435-4eec-a897-9ec9d084bce8",
        "exp": exp,
        "iat": iat,
        "iss": "acme.com",
        "sub": "13529edf-961e-4d3a-8177-a2f17cf554b1",
        "authenticationType": "PASSWORD",
        "email": "msragheb@uci.edu",
        "email_verified": true,
        "roles": [
          "Servant"
        ],
        "applicationId": "9380d2c6-c435-4eec-a897-9ec9d084bce8",
        "person_id": 1
      }
      
      token = JWT.encode payload, hmac_secret, 'HS256', {"typ": "JWT", "kid": "abc"}
      
      puts token
      
      decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
      
      puts decoded_token
      
      

      Here's similar code which just takes a JWT and decodes it:

      require 'jwt'
      
      # the todo API
      
      hmac_secret = '1c8e490a-4972-7d73-8935-06621a0a6441'
      
      token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjllZDRjNjc1NCJ9.eyJhdWQiOiI5MzgwZDJjNi1jNDM1LTRlZWMtYTg5Ny05ZWM5ZDA4NGJjZTgiLCJleHAiOjE1OTQ0ODk5NTMsImlhdCI6MTU5NDQ4NjM1MywiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIxMzUyOWVkZi05NjFlLTRkM2EtODE3Ny1hMmYxN2NmNTU0YjEiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQQVNTV09SRCIsImVtYWlsIjoibXNyYWdoZWJAdWNpLmVkdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJyb2xlcyI6WyJTZXJ2YW50Il0sImFwcGxpY2F0aW9uSWQiOiI5MzgwZDJjNi1jNDM1LTRlZWMtYTg5Ny05ZWM5ZDA4NGJjZTgiLCJwZXJzb25faWQiOjF9.aKajyZmIWe0d0ijoV2oTpxVUeQpOieaV5C80SoLqCrA'
      
      puts token
      
      decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
      
      puts decoded_token
      
      

      Right now of course the JWT you provided won't be valid because it expired. Can you generate a JWT good for 30 days and share that here? Or try to use the above code to decode it?

      I'd also make sure that the server has the correct time on it and that the access token is just the JWT and doesn't include Bearer .

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      R 1 Reply Last reply 11 Jul 2020, 20:17 Reply Quote 0
      • R
        raghebmichael @dan
        last edited by raghebmichael 7 Nov 2020, 20:18 11 Jul 2020, 20:17

        @dan said in Manually verifying a JWT:

        hmac_secret = '1c8e490a-4972-7d73-8935-06621a0a6441'

        token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjllZDRjNjc1NCJ9.eyJhdWQiOiI5MzgwZDJjNi1jNDM1LTRlZWMtYTg5Ny05ZWM5ZDA4NGJjZTgiLCJleHAiOjE1OTQ0ODk5NTMsImlhdCI6MTU5NDQ4NjM1MywiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIxMzUyOWVkZi05NjFlLTRkM2EtODE3Ny1hMmYxN2NmNTU0YjEiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQQVNTV09SRCIsImVtYWlsIjoibXNyYWdoZWJAdWNpLmVkdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJyb2xlcyI6WyJTZXJ2YW50Il0sImFwcGxpY2F0aW9uSWQiOiI5MzgwZDJjNi1jNDM1LTRlZWMtYTg5Ny05ZWM5ZDA4NGJjZTgiLCJwZXJzb25faWQiOjF9.aKajyZmIWe0d0ijoV2oTpxVUeQpOieaV5C80SoLqCrA'

        puts token

        decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }

        puts decoded_token

        Thanks for the response. Here's one that was just generated and shouldn't be expired:

        eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjllZDRjNjc1NCJ9.eyJhdWQiOiI5MzgwZDJjNi1jNDM1LTRlZWMtYTg5Ny05ZWM5ZDA4NGJjZTgiLCJleHAiOjE1OTQ1MDIwMTQsImlhdCI6MTU5NDQ5ODQxNCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIxMzUyOWVkZi05NjFlLTRkM2EtODE3Ny1hMmYxN2NmNTU0YjEiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQQVNTV09SRCIsImVtYWlsIjoibXNyYWdoZWJAdWNpLmVkdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhcHBsaWNhdGlvbklkIjoiOTM4MGQyYzYtYzQzNS00ZWVjLWE4OTctOWVjOWQwODRiY2U4Iiwicm9sZXMiOlsiU2VydmFudCJdLCJwZXJzb25faWQiOjF9.Xf_LYuqhxC1mskoEtKTJogqA_x3PKJlpwkXgRokgI2I

        I tried this following code like yours with the new token and it gives me signature error:

        hmac_secret = '1c8e490a-4972-7d73-8935-06621a0a6441'
        
            token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjllZDRjNjc1NCJ9.eyJhdWQiOiI5MzgwZDJjNi1jNDM1LTRlZWMtYTg5Ny05ZWM5ZDA4NGJjZTgiLCJleHAiOjE1OTQ1MDIwMTQsImlhdCI6MTU5NDQ5ODQxNCwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIxMzUyOWVkZi05NjFlLTRkM2EtODE3Ny1hMmYxN2NmNTU0YjEiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQQVNTV09SRCIsImVtYWlsIjoibXNyYWdoZWJAdWNpLmVkdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhcHBsaWNhdGlvbklkIjoiOTM4MGQyYzYtYzQzNS00ZWVjLWE4OTctOWVjOWQwODRiY2U4Iiwicm9sZXMiOlsiU2VydmFudCJdLCJwZXJzb25faWQiOjF9.Xf_LYuqhxC1mskoEtKTJogqA_x3PKJlpwkXgRokgI2I'
        
            puts token
        
            decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
        
            puts decoded_token
        1 Reply Last reply Reply Quote 0
        • R
          raghebmichael
          last edited by raghebmichael 7 Nov 2020, 20:32 11 Jul 2020, 20:29

          I don't think it's an issue with server time. I can't verify the signature on jwt.io when using my secret and token.

          16235667-e0ce-451a-b3e3-da64a2d97a05-image.png

          Here is the long lasting token:
          eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjllZDRjNjc1NCJ9.eyJhdWQiOiI5MzgwZDJjNi1jNDM1LTRlZWMtYTg5Ny05ZWM5ZDA4NGJjZTgiLCJleHAiOjE1OTQ1ODU2ODYsImlhdCI6MTU5NDQ5OTI4NiwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiIxMzUyOWVkZi05NjFlLTRkM2EtODE3Ny1hMmYxN2NmNTU0YjEiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQQVNTV09SRCIsImVtYWlsIjoibXNyYWdoZWJAdWNpLmVkdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhcHBsaWNhdGlvbklkIjoiOTM4MGQyYzYtYzQzNS00ZWVjLWE4OTctOWVjOWQwODRiY2U4Iiwicm9sZXMiOlsiU2VydmFudCJdLCJwZXJzb25faWQiOjF9.GQNEPj3GJe5ejQFg3YVmBmVEbMUlmQLSUuyPe2bTUXk

          1 Reply Last reply Reply Quote 0
          • R
            raghebmichael
            last edited by 11 Jul 2020, 22:13

            Something is very wrong. I don't know if this is something anybody else is facing, but I changed to a RS256 key and used the public key on jwt.io and it is still invalid. I cannot validate a JWT outside of /api/jwt/validate. This is a really big deal to me to be able to do something as simple as validating. Please let me know if I am in error, but if I can't get this to work I cannot continue using fusionauth and that's a big bummer to me as I had high hopes for this service.

            b63ceaca-e17c-48e4-b7cc-fe757eff696f-image.png

            G 1 Reply Last reply 30 Jan 2023, 08:18 Reply Quote 0
            • D
              dan
              last edited by 12 Jul 2020, 00:54

              Hmmm. I'll take a look on Monday.

              --
              FusionAuth - Auth for devs, built by devs.
              https://fusionauth.io

              1 Reply Last reply Reply Quote 1
              • D
                dan
                last edited by 13 Jul 2020, 14:45

                Hiya,

                I was able to successfully decode a JWT. From reviewing this thread, I think maybe the issue is that you are using the wrong secret. It seems like you might have accidentally been using the id of the signing key '1c8e490a-4972-7d73-8935-06621a0a6441' instead of the actual secret key.

                Here's how I found my secret key:

                • go to settings
                • go to keymaster
                • click on the green magnifying glass icon to view the default key
                • click on click here to see the secret.

                Screen Shot 2020-07-13 at 8.41.00 AM.png

                My secret looked something like this: n0EfufcUAuYM6199G3ffRp+YUVMPodabtlI/wT8oBYc=.

                Can you try validating your JWT with the secret found through those steps and let me know how it goes?

                --
                FusionAuth - Auth for devs, built by devs.
                https://fusionauth.io

                B 1 Reply Last reply 3 Jan 2023, 00:36 Reply Quote 1
                • R
                  raghebmichael
                  last edited by 14 Jul 2020, 02:59

                  Thank you so much Dan, that was exactly the issue. I successfully verified a token with that secret. I appreciate it very much.

                  1 Reply Last reply Reply Quote 2
                  • D
                    dan
                    last edited by 14 Jul 2020, 12:58

                    Excellent, I'm glad you figured it out.

                    --
                    FusionAuth - Auth for devs, built by devs.
                    https://fusionauth.io

                    1 Reply Last reply Reply Quote 0
                    • B
                      bharath.yadavally @dan
                      last edited by 3 Jan 2023, 00:36

                      @dan How can I view RS256 secret?

                      It says The private key is not viewable

                      Screen Shot 2023-01-03 at 11.34.46 am.png

                      D 1 Reply Last reply 3 Jan 2023, 02:45 Reply Quote 1
                      • D
                        dan @bharath.yadavally
                        last edited by 3 Jan 2023, 02:45

                        @bharath-yadavally You don't typically view the RS256 secret for a generated key.

                        If you must have access to that, generate the RS256 keypair outside of FusionAuth and import the keypair.

                        --
                        FusionAuth - Auth for devs, built by devs.
                        https://fusionauth.io

                        B 3 Replies Last reply 3 Jan 2023, 03:06 Reply Quote 0
                        • B
                          bharath.yadavally @dan
                          last edited by 3 Jan 2023, 03:06

                          @dan I forgot how I created my key at first place, imported a new one and using private key which I generated.

                          1 Reply Last reply Reply Quote 0
                          • B
                            bharath.yadavally @dan
                            last edited by 3 Jan 2023, 03:08

                            @dan Now I am able to validate the token using RS256.
                            But, trying to figure out how can I add a user status ACTIVE or INACTIVE to jwt token when generated first time by fusionauth.

                            I previously used auth0 where we can add a js script like lambda functions to add custom parameters to jwt. Is something I could do with fusionauth?

                            1 Reply Last reply Reply Quote 0
                            • B
                              bharath.yadavally @dan
                              last edited by 3 Jan 2023, 03:17

                              @dan Discard my comment above regarding custom claims for JWT.

                              I found your post: https://fusionauth.io/community/forum/topic/65/how-does-one-add-custom-claims-to-the-jwt-issued-by-the-oauth-flow?_=1672715552700

                              Which should guide me through next steps. Thanks 👨‍💻

                              D 1 Reply Last reply 4 Jan 2023, 22:13 Reply Quote 1
                              • D
                                dan @bharath.yadavally
                                last edited by 4 Jan 2023, 22:13

                                @bharath-yadavally Glad you're getting it figured out!

                                --
                                FusionAuth - Auth for devs, built by devs.
                                https://fusionauth.io

                                1 Reply Last reply Reply Quote 0
                                • A
                                  austinpatrick711
                                  last edited by 16 Jan 2023, 09:13

                                  This post is deleted!
                                  1 Reply Last reply Reply Quote 0
                                  • G
                                    grately47 @raghebmichael
                                    last edited by 30 Jan 2023, 08:18

                                    @raghebmichael said in Manually verifying a JWT:

                                    Something is very wrong. I don't know if this is something anybody else is facing, but I changed to a RS256 key and used the public key on jwt.io and it is still invalid. I cannot validate a JWT outside of /api/jwt/validate. This is a really big deal to me to be able to do something as simple as validating. Please let me know if I am in error, but if I can't get this to work I cannot continue using fusionauth and that's a big bummer to me as I had high hopes for this service.

                                    b63ceaca-e17c-48e4-b7cc-fe757eff696f-image.png

                                    This is exactly what I was looking for to solve my problem.
                                    Thank you very much.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post