#1 2018-07-04 12:07:22

zensan
Member
Registered: 2015-07-29
Posts: 12

Invalid signature when verifying TJWTHS256

Hello!

We are trying to start using the TJWTHS256 classes. But we immediately faced the issue when trying to verufy the generated tokens in ASP.NET or .NET application.

So I tried the following and that works fine in the code:

var
  LToken: TJWTAbstract;
  LTokenText: RawUTF8;
...
  LToken := TJWTHS256.Create('The secret password', 0, [jrcIssuer, jrcSubject, jrcIssuedAt, jrcJwtID], []);
  LTokenText := LToken.Compute(['http://www.ourdomain.com', True], 'Issuer', 'subject', '', 0);
  Result := LToken.VerifyPayload(LTokenText, 'subject', 'Issuer', '') = jwtValid;
...
Result in the Delphi app is True. So if I understood correctly - the VerifyPayload method returns true. And also we can see in the generated token that there is a signature in the end.

But when we try to validate the given token outside of Delphi and mORMot world it always says "Invalid signature"!

For example: https://www.jsonwebtoken.io/ parses all the data, but says that the signature is not valid (that also happens in other web-sites). We tried removing the expiration claim but that does not change anything.

Can you help us with understanding what we are doing wrong?

Thank you in advance!

Last edited by zensan (2018-07-04 12:07:39)

Offline

#2 2018-07-04 13:10:33

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Invalid signature when verifying TJWTHS256

Encoding issue on the secret?
This parameter is passed directly as array of bytes if aSecretPBKDF2Rounds<=1.

Offline

#3 2018-07-10 09:54:08

zensan
Member
Registered: 2015-07-29
Posts: 12

Re: Invalid signature when verifying TJWTHS256

Thank you very much for the info. It worked fine in the end when using the same encoding on .NET side, but also required minimal length of the secret key (it was too short for 256 bit token smile ).

Offline

Board footer

Powered by FluxBB