Hi, first of all thanks for sharing. I'm trying to testing your libr

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

I will need more input from both of you. <a class="user-mention notr

JWT: <div class="snippet-clipboard-content notranslate position-relative overflow-

And just in case it matters, I was trying to validate it using <code class="notranslat

This bug has to do with stringify and badly named <co

I tryed with <a href="https://github.com/pauldijou/jwt-scala/tree/master/examples/pla

Verify secret fail in online test https://jwt.io/ about jwt-scala HOT 14 CLOSED

simonezando commented on June 3, 2024 1

Verify secret fail in online test https://jwt.io/

from jwt-scala.

Comments (14)

etaty commented on June 3, 2024 2

@margussipria
Yeah all the problem come from the line

case algo: JwtHmacAlgorithm => sign(data, new SecretKeySpec(bytify(key), algo.fullName), algo)

and the call to bytify (some key are ISO-8859-1 (jwt.io expect iso) encoded instead of utf-8)

from jwt-scala.

mscharley commented on June 3, 2024

I have the inverse problem. I have a valid JWT created by another system that won't verify with this library. I'm using HS256.

from jwt-scala.

pauldijou commented on June 3, 2024

I will need more input from both of you.

@simonezando Could you copy/paste the data / keys you are using in both jwt-scala and jwt.io and does not match?

@mscharley Could you copy/paste the token? And any other relevant stuff.

from jwt-scala.

mscharley commented on June 3, 2024

JWT:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiTWF0dGhldyBTY2hhcmxleSIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vLVhkVUlxZE1rQ1dBL0FBQUFBQUFBQUFJL0FBQUFBQUFBQUFBLzQyNTJyc2NidjVNL3Bob3RvLmpwZyIsImVtYWlsIjoibWF0dGhldy5zY2hhcmxleUBlcXVpZW0uY29tLmF1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImFwcF9tZXRhZGF0YSI6eyJhdXRob3JpemF0aW9uIjp7Imdyb3VwcyI6WyJEYXRhYmFzZSBTZXJ2ZXIgQWNjZXNzIl19LCJwZ3BfcHVibGljX2tleXMiOlsiMjU2MTk3RTU5REVBNTY2RjI0MDAyMkQyRUI2MDM3NTM1NDFGREYzRiIsIkZEQjRGNjJFMjM2NzBEQTEwREU4QjdEQTZFRTQ0OTlFNDM1RkE1MkIiXX0sImlzcyI6Imh0dHBzOi8vZXF1aWVtLmF1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDExNTQ2MzM0MDE5ODc5NzI4MDUzNyIsImF1ZCI6ImFMcEdJUFFvRWdhb1N3QlpFTEhwS3Y4aHZySlFYNFRUIiwiZXhwIjoxNDY0MTgwNDA1LCJpYXQiOjE0NjQxNzY4MDV9.pdnRQDlXsa1c9PQGdQONnLZa8pGEZdZFOj-gjXHxF34

Signing key (base64 encoded):

1kHndxh2zXTK701QKx6B_CkzEu-orMR-TpvJXvlrjXg7maLf_1B7yegplt3EW9Mp

from jwt-scala.

mscharley commented on June 3, 2024

And just in case it matters, I was trying to validate it using jwt-json4s-jackson

from jwt-scala.

margussipria commented on June 3, 2024

This bug has to do with stringify and badly named bytify, they are using UTF-8 and that does add extra chars when converting non UTF-8 characters. Best place is to use ISO-8859-1 char set, as it is 8-bit char set and every byte is valid char.

  val secret = JwtBase64.decode("1kHndxh2zXTK701QKx6B_CkzEu-orMR-TpvJXvlrjXg7maLf_1B7yegplt3EW9Mp")

  JwtUtils.bytify(JwtUtils.stringify(secret)) should be (secret)

And here is longer test:

  val token = Seq(
    "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9",
    "eyJuYW1lIjoiTWF0dGhldyBTY2hhcmxleSIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vLVhkVUlxZE1rQ1dBL0FBQUFBQUFBQUFJL0FBQUFBQUFBQUFBLzQyNTJyc2NidjVNL3Bob3RvLmpwZyIsImVtYWlsIjoibWF0dGhldy5zY2hhcmxleUBlcXVpZW0uY29tLmF1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImFwcF9tZXRhZGF0YSI6eyJhdXRob3JpemF0aW9uIjp7Imdyb3VwcyI6WyJEYXRhYmFzZSBTZXJ2ZXIgQWNjZXNzIl19LCJwZ3BfcHVibGljX2tleXMiOlsiMjU2MTk3RTU5REVBNTY2RjI0MDAyMkQyRUI2MDM3NTM1NDFGREYzRiIsIkZEQjRGNjJFMjM2NzBEQTEwREU4QjdEQTZFRTQ0OTlFNDM1RkE1MkIiXX0sImlzcyI6Imh0dHBzOi8vZXF1aWVtLmF1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDExNTQ2MzM0MDE5ODc5NzI4MDUzNyIsImF1ZCI6ImFMcEdJUFFvRWdhb1N3QlpFTEhwS3Y4aHZySlFYNFRUIiwiZXhwIjoxNDY0MTgwNDA1LCJpYXQiOjE0NjQxNzY4MDV9",
    "pdnRQDlXsa1c9PQGdQONnLZa8pGEZdZFOj-gjXHxF34"
  )
  val secret = JwtBase64.decode("1kHndxh2zXTK701QKx6B_CkzEu-orMR-TpvJXvlrjXg7maLf_1B7yegplt3EW9Mp")

  val mock = mockTime(1464176805)

  val data = token.take(2).mkString(".")
  val signature = token.drop(2).mkString(".")

  jwtJsonCommon.validate(token.mkString("."), JwtUtils.stringify(secret), Seq(JwtAlgorithm.HS256))

  //println(JwtUtils.verify(data, JwtBase64.decodeString(signature), JwtUtils.stringify(secret), JwtAlgorithm.HS256))

  mock.tearDown()

from jwt-scala.

etaty commented on June 3, 2024

So I found my way in this F mess ...

Auth0 give us a base64URL

1kHndxh2zXTK701QKx6B_CkzEu-orMR-TpvJXvlrjXg7maLf_1B7yegplt3EW9Mp

You can convert it to a base64

1kHndxh2zXTK701QKx6B/CkzEu+orMR+TpvJXvlrjXg7maLf/1B7yegplt3EW9Mp

And then decode it as a ISO-8859-1 (obviously github utf-8 mess with it, but you can use an online decoder)

ÖAçw�vÍtÊïMP+��ü)3�ï¨¬Ä~N�É^ùk�x;�¢ßÿP{Éè)�ÝÄ[Ó)

And jwt.io can decode the token

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiTWF0dGhldyBTY2hhcmxleSIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vLVhkVUlxZE1rQ1dBL0FBQUFBQUFBQUFJL0FBQUFBQUFBQUFBLzQyNTJyc2NidjVNL3Bob3RvLmpwZyIsImVtYWlsIjoibWF0dGhldy5zY2hhcmxleUBlcXVpZW0uY29tLmF1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImFwcF9tZXRhZGF0YSI6eyJhdXRob3JpemF0aW9uIjp7Imdyb3VwcyI6WyJEYXRhYmFzZSBTZXJ2ZXIgQWNjZXNzIl19LCJwZ3BfcHVibGljX2tleXMiOlsiMjU2MTk3RTU5REVBNTY2RjI0MDAyMkQyRUI2MDM3NTM1NDFGREYzRiIsIkZEQjRGNjJFMjM2NzBEQTEwREU4QjdEQTZFRTQ0OTlFNDM1RkE1MkIiXX0sImlzcyI6Imh0dHBzOi8vZXF1aWVtLmF1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDExNTQ2MzM0MDE5ODc5NzI4MDUzNyIsImF1ZCI6ImFMcEdJUFFvRWdhb1N3QlpFTEhwS3Y4aHZySlFYNFRUIiwiZXhwIjoxNDY0MTgwNDA1LCJpYXQiOjE0NjQxNzY4MDV9.pdnRQDlXsa1c9PQGdQONnLZa8pGEZdZFOj-gjXHxF34

with both token.

ps :

Auth0 use apache common Base64 to encode/decode (in their java implementation)
https://www.ietf.org/rfc/rfc4648.txt table 1 vs table 2

I will try to write the scala code tomorrow

from jwt-scala.

margussipria commented on June 3, 2024

Or you could have changed JwtUtils.ENCODING to "ISO-8859-1"

from jwt-scala.

etaty commented on June 3, 2024

Would be awesome to expose the key as Array[Byte] or value class

from jwt-scala.

simonezando commented on June 3, 2024

I tryed with https://github.com/pauldijou/jwt-scala/tree/master/examples/play-angular-standalone with secret in application.conf.
jwt token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIbWFjU0hBMjU2In0.eyJleHAiOjE0NjUyMTA3NTAsInVzZXIiOnsibmFtZSI6ImFkbWluIn19.TM6B5XOkj-m5IDdbfxEEHKwjBBve0OiVfZ7hfGQMgMQ

I used the version "0.5.1" of jwt-play, the last version that support play 2.5.
Have you time to solve this issue in the next days (of version 0.5.1 of jwt-play) with previous hint of @margussipria and @etaty ?

Thanks

from jwt-scala.

bir commented on June 3, 2024

For anyone else suffering from a similar issue, you can just pass in properly encoded Secret to bypass the UTF-8 defaulting in JWTUtils:

  import javax.crypto.spec.SecretKeySpec

  val encodedJwtSecret: String = ConfigFactory.load().getString("jwt.secret")
  val jwtSecret = new SecretKeySpec(java.util.Base64.getUrlDecoder().decode(encodedJwtSecret), "HmacSHA256")
  JwtJson4s.decodeJson(bearer, jwtSecret, Seq(JwtAlgorithm.HS256)).toOption

from jwt-scala.

ChetanBhasin commented on June 3, 2024

Is there any update on this issue?

from jwt-scala.

pauldijou commented on June 3, 2024

Any PR is welcome, as always. I gave it a try and couldn't find a solution nice enough. I'm not really doing Scala anymore so, unfortunately, I don't have any plan to try again.

from jwt-scala.

ChetanBhasin commented on June 3, 2024

Ah, okay. I'll see if I can spend some time on this.

from jwt-scala.

Verify secret fail in online test https://jwt.io/ about jwt-scala HOT 14 CLOSED

Comments (14)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent