JWS signature is invalid

Klarmann_Ulf · November 29, 2023, 1:39pm

Trying to process a token + secret.
On jwt.io token looks fine and is verified.

var FLocalSecret := TEncoding.UTF8.GetBytes(LocalSecret);
    var JWT := TJOSE.DeserializeOnly(Token);

    try
      var Builder: IJOSEConsumerBuilder;

      if (assigned(JWT.Claims.JSON.Values['TYPE']) and (JWT.Claims.JSON.Values['TYPE'].AsType < string >= 'LOC')) then
      begin
        // Build consumer for LocalSecret
        Builder := TJOSEConsumerBuilder.NewConsumer.SetVerificationKey
          (FLocalSecret).SetExpectedAlgorithms([TJOSEAlgorithmId.HS256]);
      end
      else
      begin
        // Build consumer for AppSecret
      end;

      Builder.SetAllowedClockSkew(0, TJOSETimeUnit.Seconds);

      Builder.SetRequireIssuedAt;

      var Consumer := Builder.Build;
      Consumer.Process(Token); // <<< JWS signature is invalid: ..

However, I receive the following error message: “JWS signature is invalid: ..”

Sample project
TokenTest.zip (5.9 KB)

What am I doing wrong?

wlandgraf · December 3, 2023, 10:07pm

The token is not fine and not verified on jwt.io. The correct signature of the token using the secret in the sample code is -6SXrmN7oegOPQsJTHgrEOwqPK3xXeQ5Qut2Btrsv9s.

The token you are testing has a signature for an empty secret, which is not secure.

system · December 14, 2023, 1:09pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.