"JsonWebTokenError: invalid signature" when verifying JWT signed with Java JWT

[nodje]

I use https://github.com/jwtk/jjwt to encode and sign a token as follow:

    Jwts.builder()
        .setSubject(authentication.getName())
        .claim(AUTHORITIES_KEY, authorities)
        .signWith(SignatureAlgorithm.HS512, "my-secret-token-to-change-in-production")
        .setExpiration(validity)
        .compact();

then decode in node.js as follow:

var decoded = jwt.verify(req.get('Authorization'), 'my-secret-token-to-change-in-production', { algorithms: ['HS512'] });

and get the error:

JsonWebTokenError: invalid signature

Using jwt.decode I get the token content without problem.

Am I doing something wrong?

[omsmith]

I'd love to give you a hand with this. Would you be able to provide an example token and the secret you used to sign it so I can take a look. With what you've provided, hard to say - from looking at jjwt your example should be throwing since "my-secret-token-to-change-in-production" is not base64.

[nodje]

hum, the base64 issue sounds like a good lead, but I couldn't verify the signature with the secret encoded in base64 like this:
var decoded = jwt.verify(req.get('Authorization'), new Buffer('my-secret-token-to-change-in-production').toString('base64'), { algorithms: ['HS512'] });
Here's a token generated by jjwt with my favorite secret my-secret-token-to-change-in-production:
eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImF1dGgiOiJST0xFX0FETUlOLFJPTEVfVVNFUiIsImV4cCI6MTQ2Nzc3MzQ5Nn0.v0Gfc9fKDQfkDningjmObkD5-EcbfWy5vuvuOimTV032iCoOaaQtCsZxQC78JbLbeQNLUA3UaQnuLgvwwqLmIg

[DaleWebb]

I'm having the same problem with these libraries.

I used the debugger at jwt.io to decode it, which gave the option to provide the secret as base64 - which worked on the debugger, but not in my program.

However, I couldn't get the debugger to work with your values, @nodje

[michaelcbarr]

Did anyone get a solution to this yet? I am signing the JWT in Java (io.jsonwebtoken) and trying to "unsign" using this npm library in a separate node.js app. As already mentioned by others, the token decodes fine, so obviously the data has not been corrupted - it just seems that the sign/unsign procedures do not match up.

[omsmith]

@DaleWebb @michaelcbarr would either of you be able to provide some actual code you're trying to do this with?

[michaelcbarr]

no problem - this was borrowed form a tutorial - can't find the link but will credit if I find it :D

var jwt = require('jsonwebtoken');
jwt.verify(token, superSecret, function(err, decoded) {
                if (err) {
                    return res.json({ success: false, message: 'Failed to authenticate token.' });
                } else {
                    // if everything is good, save to request for use in other routes
                    req.decoded = decoded;
                    next();
                }
            });

The token is created in Java with code similar to this:

private String generateToken(Map<String, Object> claims) {
        return Jwts.builder()
                .setClaims(claims)
                .setExpiration(this.generateExpirationDate())
                .signWith(SignatureAlgorithm.HS512, secret)
                .compact();
   }

[omsmith]

@michaelcbarr Might you be able to provide the java code where you're signing?

[michaelcbarr]

added above!

[michaelcbarr]

NB: I have tried SignatureAlgorithm.HS256 but makes no difference

[DaleWebb]

@michaelcbarr No, I haven't found a solution to this

[michaelcbarr]

@omsmith Can you send me a test token which works for you? I tried the one above with that secret but no luck!

Me neither @DaleWebb - have you tried any other workarounds? I had thought about manually encrypting the token and use the decode function rather than verify but it seems hacky :(

[DaleWebb]

private static String generateToken(Account account, App app) {
        return Jwts.builder()
            .setSubject(account.getId())
            .claim("app_id", app.getSlug())
            .setExpiration(new Date(new Date().getTime() + TOKEN_LIFETIME))
            .signWith(SignatureAlgorithm.HS512, PersonaApplication.getSecret())//the secret is a String, not base64 encoded.
            .compact();
    }

[DaleWebb]

@michaelcbarr If I cannot get a solution before we have to ship the feature, I'm going to create a route on the gateway that creates the token to give the information back.

[omsmith]

@nodje @DaleWebb @michaelcbarr

I'm not going to take the time to dig into exactly what the java library is doing by default (I don't work with Java usually, needed to install Eclipse and figure and Maven and things :)). However, the issue is the string secret. By calling getBytes("UTF-8") on your secret and providing signWith() with the byte[], everything will work out.

package jwt_test.foo;

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

import java.io.UnsupportedEncodingException;
import java.util.Date;

/**
 * Hello world!
 *
 */
public class App 
{
    private static String SECRET = "HelloWorld!";

    public static void main( String[] args ) throws UnsupportedEncodingException
    {
        System.out.println( makeToken() );
    }

    private static String makeToken() throws UnsupportedEncodingException {
        return Jwts.builder()
                .setSubject("foo")
                .claim("bar", "baz")
                .signWith(SignatureAlgorithm.HS512, SECRET.getBytes("UTF-8"))
                .compact();
    }
}

'use strict';

const JWT = require('jsonwebtoken');

const SECRET = 'HelloWorld!';
const JAVA_JWT = 'eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJmb28iLCJiYXIiOiJiYXoifQ.1MOXGiwGTFLU7-YMvOe2_q2ZRUHAMCVS7pbnOkRKCFV1HIvY8odBaqWVCQRuT2RUbKtGgA2elFRsuka4K1KP7A';

JWT.verify(JAVA_JWT, SECRET, { algorithms: ['HS512'] })

[michaelcbarr]

@DaleWebb @omsmith

AWESOME WORK!

I can confirm that this works perfectly for me - just need to remember to convert the SECRET string to bytes on Java verify method.

claims = Jwts.parser()
                    .setSigningKey(secret.getBytes("UTF-8"))
                    .parseClaimsJws(token)
                    .getBody();

(Also need to catch the UnsupportedEncodingException!)

Think I would still be scratching my head next month without your help - thanks again @omsmith !

Mb