"Illegal base64url string" when try to decode token about jwt HOT 20 CLOSED

Hi,
You don't need to manually verify the exp/nbf claims on the token. you should try to decode it - and if it works and doesn't throw any exceptions, then it's valid. See https://github.com/jwt-dotnet/jwt#parsing-decoding-and-verifying-token

Also on JwtDecoder exposes some methods you can call to verify the token:

Note that they aren't part of the IJwtDecoder interface though.

from jwt.

So I could look deeper into the issue, please provide:

• the version of the library
• target framework of your application
• full stack trace

from jwt.

Ping on the ^

from jwt.

@abatishchev hi again!

• Newest version of library from github - 20230105.4
• .NET 3.5
• Asp.NET web api that provides some data from Axapta 2009 throw business connector (thats why only .Net 3.5 - bc is not working at newer version with ax 2009)

from jwt.

20230105.4

That's the release number. The library version 10.0.0.
Can you please try the previous stable version 9.0.3? Would it fail with the same error?

The issue might come from Axapta that sends incorrect JWT. Can you share it?

Ideally, share a minimal repo: a project with some code and a token that would fail with the said exception.

Also provide full exception stack trace anyway.

from jwt.

20230105.4

That's the release number. The library version 10.0.0. Can you please try the previous stable version 9.0.3? Would it fail with the same error?

The issue might come from Axapta that sends incorrect JWT. Can you share it?

Ideally, share a minimal repo: a project with some code and a token that would fail with the said exception.

Also provide full exception stack trace anyway.
AxaptaAPI.zip

Axapta doesnt pass any token, thats coming from user request header. You can get it at /getToken. Project is very raw, thats my first try at ASP.NET

Error is changed, now thats "The signature is invalid according to the validation procedure.", i dont know why. Maybe my rsa using is wrong.

from jwt.

20230105.4

That's the release number. The library version 10.0.0. Can you please try the previous stable version 9.0.3? Would it fail with the same error?
The issue might come from Axapta that sends incorrect JWT. Can you share it?
Ideally, share a minimal repo: a project with some code and a token that would fail with the said exception.
Also provide full exception stack trace anyway.
AxaptaAPI.zip

Axapta doesnt pass any token, thats coming from user request header. You can get it at /getToken. Project is very raw, thats my first try at ASP.NET

Error is changed, now thats "The signature is invalid according to the validation procedure.", i dont know why. Maybe my rsa using is wrong.

Stack trace:

[SignatureVerificationException: The signature is invalid according to the validation procedure.]
JWT.JwtValidator.Validate(String decodedPayload, IAsymmetricAlgorithm alg, Byte[] bytesToSign, Byte[] decodedSignature) +133
JWT.JwtDecoder.Validate(JwtParts jwt, Byte[][] keys) +972
JWT.JwtDecoder.Decode(JwtParts jwt, Byte[][] keys, Boolean verify) +366
JWT.JwtDecoderExtensions.Decode(IJwtDecoder decoder, String token, Byte[][] keys, Boolean verify) +120
JWT.Builder.JwtBuilder.Decode(String token) +138
AxaptaAPI.Models.TokenService.verifyToken(String token) in C:\Users\Evgeny.Kudryavtsev\Documents\Visual Studio 2010\Projects\AxaptaAPI\AxaptaAPI\Models\AccountModels.cs:206
AxaptaAPI.Controllers.HomeController.InventSum(InventSumParameter _parm) in C:\Users\Evgeny.Kudryavtsev\Documents\Visual Studio 2010\Projects\AxaptaAPI\AxaptaAPI\Controllers\HomeController.cs:28
lambda_method(Closure , ControllerBase , Object[] ) +91
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +266 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +35
System.Web.Mvc.<>c__DisplayClassd.b__a() +80
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) +466
System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +648
System.Web.Mvc.Controller.ExecuteCore() +146
System.Web.Mvc.<>c__DisplayClass8.b__4() +56
System.Web.Mvc.Async.<>c__DisplayClass1.b__0() +25
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +48
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +431
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +75
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +158

from jwt.

I would need to see the token in order to debug further.

from jwt.

I would need to see the token in order to debug further.

Heres it:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOiIyMDIzLTAxLTE3VDA3OjUxOjQ0LjQ4MjI4KzAwOjAwIn0.DK3vG3xZ12N-rQj1eI7DbSH7jb6VSJFIZSTzZUd80ryqKOwLz0G1RBKs0S00OHWzd_gw3W8K0fiLubh_fjuY6o6lbhypVDB83cPi4DeVWJFPavgOLolmCcs6u9qYSPfQYxjoN5aBkluLFncSN1cStjerX2TovYS42sCHYBhYF1CVMaSDUG-BMHpP1zEv74jiRKiHVuOeEyOub3XG9BCOVY2PoSBxG_Q91QuIHRrlevru0F-zrLSOSjIB9GFwP2z-GcpsjvtAYkj4i9SiN1_GN7ZgIxcju5SKBefMkuQRh4_t1opffiTgUsI7zDCF3uZgRe06Jlnh00ggrVtdF2ycIg

from jwt.

Ah, sorry, you've provided it earlier already.

What happens if you put it into https://jwt.io? Would it be able to decode and verify the signature?

from jwt.

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOiIyMDIzLTAxLTE3VDA3OjUxOjQ0LjQ4MjI4KzAwOjAwIn0.DK3vG3xZ12N-rQj1eI7DbSH7jb6VSJFIZSTzZUd80ryqKOwLz0G1RBKs0S00OHWzd_gw3W8K0fiLubh_fjuY6o6lbhypVDB83cPi4DeVWJFPavgOLolmCcs6u9qYSPfQYxjoN5aBkluLFncSN1cStjerX2TovYS42sCHYBhYF1CVMaSDUG-BMHpP1zEv74jiRKiHVuOeEyOub3XG9BCOVY2PoSBxG_Q91QuIHRrlevru0F-zrLSOSjIB9GFwP2z-GcpsjvtAYkj4i9SiN1_GN7ZgIxcju5SKBefMkuQRh4_t1opffiTgUsI7zDCF3uZgRe06Jlnh00ggrVtdF2ycIg

Nope, types invalid signature. I was thinking only me can decode this token because of rsa. Why everybody can decode signed token?

from jwt.

No one other than who poses the public key can validate. You need to supply it to the tool.

from jwt.

No one other than who poses the public key can validate. You need to supply it to the tool.

I already supplied this. But jwt.io can get payload without any keys.

from jwt.

The token is visible to everyone, both the header and the payload are just base64-encoded JSON objects. The signature is base64-encoded binary days which prevents from tempering (modifying, faking) the payload.

To hide the token you need to use JWE (encoded JWT), this library doesn't support it though.

from jwt.

Ok i got it. Did you try to run it? I dont understand, what im doing wrong.

from jwt.

Changed some code and now getting the error:
Invalid algorithm specified.

At this place (decoding token):

string json = JwtBuilder.Create()
                     .WithAlgorithm(new RS256Algorithm(this.rsa))
                     .MustVerifySignature()
                     .Decode(token);

from jwt.

The algorithm's "bitness" must match the secret's, try using other, higher values.

Also try to construct an X509Certificate2 object and pass it to the algorithm's ctor.

from jwt.

I made like you told me (bitness is 2048):

rsa = new RSACryptoServiceProvider(2048, cp);

IJsonSerializer serializer = new JsonNetSerializer();
IDateTimeProvider provider = new UtcDateTimeProvider();
IJwtValidator validator = new JwtValidator(serializer, provider);
IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
IJwtAlgorithm algorithm = new RS2048Algorithm(rsa);
IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm);

var json = decoder.Decode(token);

And still getting this error.

from jwt.

Please try something similar to #445 (comment), i.e. iterate over all possible values.

from jwt.

@Sakhjen let me know if gave a try to the suggestion above and/or need any more assistance?

from jwt.