Comments (20)
Hi,
You don't need to manually verify the exp/nbf claims on the token. you should try to decode it - and if it works and doesn't throw any exceptions, then it's valid. See https://github.com/jwt-dotnet/jwt#parsing-decoding-and-verifying-token
Also on JwtDecoder
exposes some methods you can call to verify the token:
Line 200 in a1204da
Note that they aren't part of the IJwtDecoder
interface though.
from jwt.
So I could look deeper into the issue, please provide:
- the version of the library
- target framework of your application
- full stack trace
from jwt.
Ping on the ^
from jwt.
@abatishchev hi again!
- Newest version of library from github - 20230105.4
- .NET 3.5
- Asp.NET web api that provides some data from Axapta 2009 throw business connector (thats why only .Net 3.5 - bc is not working at newer version with ax 2009)
from jwt.
20230105.4
That's the release number. The library version 10.0.0.
Can you please try the previous stable version 9.0.3? Would it fail with the same error?
The issue might come from Axapta that sends incorrect JWT. Can you share it?
Ideally, share a minimal repo: a project with some code and a token that would fail with the said exception.
Also provide full exception stack trace anyway.
from jwt.
20230105.4
That's the release number. The library version 10.0.0. Can you please try the previous stable version 9.0.3? Would it fail with the same error?
The issue might come from Axapta that sends incorrect JWT. Can you share it?
Ideally, share a minimal repo: a project with some code and a token that would fail with the said exception.
Also provide full exception stack trace anyway.
AxaptaAPI.zip
Axapta doesnt pass any token, thats coming from user request header. You can get it at /getToken. Project is very raw, thats my first try at ASP.NET
Error is changed, now thats "The signature is invalid according to the validation procedure.", i dont know why. Maybe my rsa using is wrong.
from jwt.
20230105.4
That's the release number. The library version 10.0.0. Can you please try the previous stable version 9.0.3? Would it fail with the same error?
The issue might come from Axapta that sends incorrect JWT. Can you share it?
Ideally, share a minimal repo: a project with some code and a token that would fail with the said exception.
Also provide full exception stack trace anyway.
AxaptaAPI.zipAxapta doesnt pass any token, thats coming from user request header. You can get it at /getToken. Project is very raw, thats my first try at ASP.NET
Error is changed, now thats "The signature is invalid according to the validation procedure.", i dont know why. Maybe my rsa using is wrong.
Stack trace:
[SignatureVerificationException: The signature is invalid according to the validation procedure.]
JWT.JwtValidator.Validate(String decodedPayload, IAsymmetricAlgorithm alg, Byte[] bytesToSign, Byte[] decodedSignature) +133
JWT.JwtDecoder.Validate(JwtParts jwt, Byte[][] keys) +972
JWT.JwtDecoder.Decode(JwtParts jwt, Byte[][] keys, Boolean verify) +366
JWT.JwtDecoderExtensions.Decode(IJwtDecoder decoder, String token, Byte[][] keys, Boolean verify) +120
JWT.Builder.JwtBuilder.Decode(String token) +138
AxaptaAPI.Models.TokenService.verifyToken(String token) in C:\Users\Evgeny.Kudryavtsev\Documents\Visual Studio 2010\Projects\AxaptaAPI\AxaptaAPI\Models\AccountModels.cs:206
AxaptaAPI.Controllers.HomeController.InventSum(InventSumParameter _parm) in C:\Users\Evgeny.Kudryavtsev\Documents\Visual Studio 2010\Projects\AxaptaAPI\AxaptaAPI\Controllers\HomeController.cs:28
lambda_method(Closure , ControllerBase , Object[] ) +91
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +266 System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary
2 parameters) +35
System.Web.Mvc.<>c__DisplayClassd.b__a() +80
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) +466
System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +648
System.Web.Mvc.Controller.ExecuteCore() +146
System.Web.Mvc.<>c__DisplayClass8.b__4() +56
System.Web.Mvc.Async.<>c__DisplayClass1.b__0() +25
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +48
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +431
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +75
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +158
from jwt.
I would need to see the token in order to debug further.
from jwt.
I would need to see the token in order to debug further.
Heres it:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOiIyMDIzLTAxLTE3VDA3OjUxOjQ0LjQ4MjI4KzAwOjAwIn0.DK3vG3xZ12N-rQj1eI7DbSH7jb6VSJFIZSTzZUd80ryqKOwLz0G1RBKs0S00OHWzd_gw3W8K0fiLubh_fjuY6o6lbhypVDB83cPi4DeVWJFPavgOLolmCcs6u9qYSPfQYxjoN5aBkluLFncSN1cStjerX2TovYS42sCHYBhYF1CVMaSDUG-BMHpP1zEv74jiRKiHVuOeEyOub3XG9BCOVY2PoSBxG_Q91QuIHRrlevru0F-zrLSOSjIB9GFwP2z-GcpsjvtAYkj4i9SiN1_GN7ZgIxcju5SKBefMkuQRh4_t1opffiTgUsI7zDCF3uZgRe06Jlnh00ggrVtdF2ycIg
from jwt.
Ah, sorry, you've provided it earlier already.
What happens if you put it into https://jwt.io? Would it be able to decode and verify the signature?
from jwt.
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOiIyMDIzLTAxLTE3VDA3OjUxOjQ0LjQ4MjI4KzAwOjAwIn0.DK3vG3xZ12N-rQj1eI7DbSH7jb6VSJFIZSTzZUd80ryqKOwLz0G1RBKs0S00OHWzd_gw3W8K0fiLubh_fjuY6o6lbhypVDB83cPi4DeVWJFPavgOLolmCcs6u9qYSPfQYxjoN5aBkluLFncSN1cStjerX2TovYS42sCHYBhYF1CVMaSDUG-BMHpP1zEv74jiRKiHVuOeEyOub3XG9BCOVY2PoSBxG_Q91QuIHRrlevru0F-zrLSOSjIB9GFwP2z-GcpsjvtAYkj4i9SiN1_GN7ZgIxcju5SKBefMkuQRh4_t1opffiTgUsI7zDCF3uZgRe06Jlnh00ggrVtdF2ycIg
Nope, types invalid signature. I was thinking only me can decode this token because of rsa. Why everybody can decode signed token?
from jwt.
No one other than who poses the public key can validate. You need to supply it to the tool.
from jwt.
No one other than who poses the public key can validate. You need to supply it to the tool.
I already supplied this. But jwt.io can get payload without any keys.
from jwt.
The token is visible to everyone, both the header and the payload are just base64-encoded JSON objects. The signature is base64-encoded binary days which prevents from tempering (modifying, faking) the payload.
To hide the token you need to use JWE (encoded JWT), this library doesn't support it though.
from jwt.
Ok i got it. Did you try to run it? I dont understand, what im doing wrong.
from jwt.
Changed some code and now getting the error:
Invalid algorithm specified.
At this place (decoding token):
string json = JwtBuilder.Create()
.WithAlgorithm(new RS256Algorithm(this.rsa))
.MustVerifySignature()
.Decode(token);
from jwt.
The algorithm's "bitness" must match the secret's, try using other, higher values.
Also try to construct an X509Certificate2
object and pass it to the algorithm's ctor.
from jwt.
I made like you told me (bitness is 2048):
rsa = new RSACryptoServiceProvider(2048, cp);
IJsonSerializer serializer = new JsonNetSerializer();
IDateTimeProvider provider = new UtcDateTimeProvider();
IJwtValidator validator = new JwtValidator(serializer, provider);
IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
IJwtAlgorithm algorithm = new RS2048Algorithm(rsa);
IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithm);
var json = decoder.Decode(token);
And still getting this error.
from jwt.
Please try something similar to #445 (comment), i.e. iterate over all possible values.
from jwt.
@Sakhjen let me know if gave a try to the suggestion above and/or need any more assistance?
from jwt.
Related Issues (20)
- Support for .NET 7.0 HOT 5
- Keep a changelog HOT 9
- Discussion - what the relation to 'System.IdentityModel.Tokens.Jwt' HOT 2
- Decode<JwtHeader> not working HOT 25
- Not properly serilized object in fluent version of Decode HOT 9
- Support Asynchronous Signing in IJwtAlgorithm interface HOT 5
- Why has the HMAC SHA algorithm become obsolete? HOT 2
- InvalidOperationException occurs in Decode() after DecodeHeader(). HOT 2
- Support JWT authentication with public key using ES256 algorithm on .NET Compact Framework 3.5 HOT 2
- Decode does not break on wrong signature HOT 5
- How to enable MODERN_DOTNET? HOT 5
- Dotnet 8.0 AOT Issues
- Where is `RS256Algorirhm`? HOT 1
- Expiry Time is added to claims when decoding HOT 3
- Having trouble with first example Encode() HOT 2
- Expired token not throwing TokenExpiredException HOT 7
- Null reference error when trying to Decode HOT 2
- How to use IJwtValidator.Validate / TryValidate? HOT 5
- jwt is missing NuGet package README file HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jwt.