Manually verifying a JWT

raghebmichael · 11 Jul 2020, 22:13

Something is very wrong. I don't know if this is something anybody else is facing, but I changed to a RS256 key and used the public key on jwt.io and it is still invalid. I cannot validate a JWT outside of /api/jwt/validate. This is a really big deal to me to be able to do something as simple as validating. Please let me know if I am in error, but if I can't get this to work I cannot continue using fusionauth and that's a big bummer to me as I had high hopes for this service.

dan · 12 Jul 2020, 00:54

Hmmm. I'll take a look on Monday.

dan · 3 Jan 2023, 00:36

Hiya,

I was able to successfully decode a JWT. From reviewing this thread, I think maybe the issue is that you are using the wrong secret. It seems like you might have accidentally been using the id of the signing key '1c8e490a-4972-7d73-8935-06621a0a6441' instead of the actual secret key.

Here's how I found my secret key:

go to settings
go to keymaster
click on the green magnifying glass icon to view the default key
click on click here to see the secret.

My secret looked something like this: n0EfufcUAuYM6199G3ffRp+YUVMPodabtlI/wT8oBYc=.

Can you try validating your JWT with the secret found through those steps and let me know how it goes?

raghebmichael · 14 Jul 2020, 02:59

Thank you so much Dan, that was exactly the issue. I successfully verified a token with that secret. I appreciate it very much.

dan · 14 Jul 2020, 12:58

Excellent, I'm glad you figured it out.

bharath.yadavally · 3 Jan 2023, 00:36

@dan How can I view RS256 secret?

It says The private key is not viewable

dan · 3 Jan 2023, 02:45

@bharath-yadavally You don't typically view the RS256 secret for a generated key.

If you must have access to that, generate the RS256 keypair outside of FusionAuth and import the keypair.

bharath.yadavally · 3 Jan 2023, 03:06

@dan I forgot how I created my key at first place, imported a new one and using private key which I generated.

bharath.yadavally · 3 Jan 2023, 03:08

@dan Now I am able to validate the token using RS256.
But, trying to figure out how can I add a user status ACTIVE or INACTIVE to jwt token when generated first time by fusionauth.

I previously used auth0 where we can add a js script like lambda functions to add custom parameters to jwt. Is something I could do with fusionauth?

bharath.yadavally · 3 Jan 2023, 03:17

@dan Discard my comment above regarding custom claims for JWT.

I found your post: https://fusionauth.io/community/forum/topic/65/how-does-one-add-custom-claims-to-the-jwt-issued-by-the-oauth-flow?_=1672715552700

Which should guide me through next steps. Thanks

dan · 4 Jan 2023, 22:13

@bharath-yadavally Glad you're getting it figured out!

austinpatrick711 · 16 Jan 2023, 09:13

This post is deleted!

grately47 · 30 Jan 2023, 08:18

@raghebmichael said in Manually verifying a JWT:

Something is very wrong. I don't know if this is something anybody else is facing, but I changed to a RS256 key and used the public key on jwt.io and it is still invalid. I cannot validate a JWT outside of /api/jwt/validate. This is a really big deal to me to be able to do something as simple as validating. Please let me know if I am in error, but if I can't get this to work I cannot continue using fusionauth and that's a big bummer to me as I had high hopes for this service.

This is exactly what I was looking for to solve my problem.
Thank you very much.