#1 2022-07-11 16:08:28

dcoun
Member
From: Crete, Greece
Registered: 2020-02-18
Posts: 430

JWT from Mormot2 does not get verified in jwt.io & token.dev

I am using JWT created with mormot2 that get validated by mormot2 and everything seems ok
They are created by the following code:

var jw:TJWTAbstract;
jw:=TJwtHS512.Create('Alibaba et 40 voleurs', 60000, [jrcIssuer, jrcSubject, jrcExpirationTime], [], 50);
try  
  result:=jw.Compute(['id',pt.IDValue],'MyServer','user'); 
finally 
  jw.Free; 
end;

The validation is done with one line code:

srv.JwtForUnauthenticatedRequest:=TJwtHS512.Create('Alibaba et 40 voleurs', 60000, [jrcIssuer, jrcSubject, jrcExpirationTime], [], 50);

The above works.

From curiosity I copied the created JWT to the webpage for evaluation it exists in jwt.io & token.dev and signature is shown as invalid
I tried with 0 aSecretPbkdf2Round and with empty password or by entering the password in jwt.io but signature is always invalid.
Is there a mistake from my side in Mormot2?

Offline

#2 2022-07-11 20:26:38

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: JWT from Mormot2 does not get verified in jwt.io & token.dev

Our HMAC SHA-512 is tested against reference vectors, so I guess it is correct.

It is likely a password derivation issue.
Jwt.io and token.dev do not derivate the secret from the password in the same way mORMot does.

Offline

#3 2022-07-12 06:23:35

dcoun
Member
From: Crete, Greece
Registered: 2020-02-18
Posts: 430

Re: JWT from Mormot2 does not get verified in jwt.io & token.dev

It is OK. I was anxious if something is missing and I have a fake authentication from JWT and Mormot2
Thank you @ab

Offline

Board footer

Powered by FluxBB