Comments (14)
@margussipria
Yeah all the problem come from the line
case algo: JwtHmacAlgorithm => sign(data, new SecretKeySpec(bytify(key), algo.fullName), algo)
and the call to bytify
(some key are ISO-8859-1
(jwt.io expect iso) encoded instead of utf-8)
from jwt-scala.
I have the inverse problem. I have a valid JWT created by another system that won't verify with this library. I'm using HS256.
from jwt-scala.
I will need more input from both of you.
@simonezando Could you copy/paste the data / keys you are using in both jwt-scala and jwt.io and does not match?
@mscharley Could you copy/paste the token? And any other relevant stuff.
from jwt-scala.
JWT:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiTWF0dGhldyBTY2hhcmxleSIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vLVhkVUlxZE1rQ1dBL0FBQUFBQUFBQUFJL0FBQUFBQUFBQUFBLzQyNTJyc2NidjVNL3Bob3RvLmpwZyIsImVtYWlsIjoibWF0dGhldy5zY2hhcmxleUBlcXVpZW0uY29tLmF1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImFwcF9tZXRhZGF0YSI6eyJhdXRob3JpemF0aW9uIjp7Imdyb3VwcyI6WyJEYXRhYmFzZSBTZXJ2ZXIgQWNjZXNzIl19LCJwZ3BfcHVibGljX2tleXMiOlsiMjU2MTk3RTU5REVBNTY2RjI0MDAyMkQyRUI2MDM3NTM1NDFGREYzRiIsIkZEQjRGNjJFMjM2NzBEQTEwREU4QjdEQTZFRTQ0OTlFNDM1RkE1MkIiXX0sImlzcyI6Imh0dHBzOi8vZXF1aWVtLmF1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDExNTQ2MzM0MDE5ODc5NzI4MDUzNyIsImF1ZCI6ImFMcEdJUFFvRWdhb1N3QlpFTEhwS3Y4aHZySlFYNFRUIiwiZXhwIjoxNDY0MTgwNDA1LCJpYXQiOjE0NjQxNzY4MDV9.pdnRQDlXsa1c9PQGdQONnLZa8pGEZdZFOj-gjXHxF34
Signing key (base64 encoded):
1kHndxh2zXTK701QKx6B_CkzEu-orMR-TpvJXvlrjXg7maLf_1B7yegplt3EW9Mp
from jwt-scala.
And just in case it matters, I was trying to validate it using jwt-json4s-jackson
from jwt-scala.
This bug has to do with stringify
and badly named bytify
, they are using UTF-8 and that does add extra chars when converting non UTF-8 characters. Best place is to use ISO-8859-1 char set, as it is 8-bit char set and every byte is valid char.
val secret = JwtBase64.decode("1kHndxh2zXTK701QKx6B_CkzEu-orMR-TpvJXvlrjXg7maLf_1B7yegplt3EW9Mp")
JwtUtils.bytify(JwtUtils.stringify(secret)) should be (secret)
And here is longer test:
val token = Seq(
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9",
"eyJuYW1lIjoiTWF0dGhldyBTY2hhcmxleSIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vLVhkVUlxZE1rQ1dBL0FBQUFBQUFBQUFJL0FBQUFBQUFBQUFBLzQyNTJyc2NidjVNL3Bob3RvLmpwZyIsImVtYWlsIjoibWF0dGhldy5zY2hhcmxleUBlcXVpZW0uY29tLmF1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImFwcF9tZXRhZGF0YSI6eyJhdXRob3JpemF0aW9uIjp7Imdyb3VwcyI6WyJEYXRhYmFzZSBTZXJ2ZXIgQWNjZXNzIl19LCJwZ3BfcHVibGljX2tleXMiOlsiMjU2MTk3RTU5REVBNTY2RjI0MDAyMkQyRUI2MDM3NTM1NDFGREYzRiIsIkZEQjRGNjJFMjM2NzBEQTEwREU4QjdEQTZFRTQ0OTlFNDM1RkE1MkIiXX0sImlzcyI6Imh0dHBzOi8vZXF1aWVtLmF1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDExNTQ2MzM0MDE5ODc5NzI4MDUzNyIsImF1ZCI6ImFMcEdJUFFvRWdhb1N3QlpFTEhwS3Y4aHZySlFYNFRUIiwiZXhwIjoxNDY0MTgwNDA1LCJpYXQiOjE0NjQxNzY4MDV9",
"pdnRQDlXsa1c9PQGdQONnLZa8pGEZdZFOj-gjXHxF34"
)
val secret = JwtBase64.decode("1kHndxh2zXTK701QKx6B_CkzEu-orMR-TpvJXvlrjXg7maLf_1B7yegplt3EW9Mp")
val mock = mockTime(1464176805)
val data = token.take(2).mkString(".")
val signature = token.drop(2).mkString(".")
jwtJsonCommon.validate(token.mkString("."), JwtUtils.stringify(secret), Seq(JwtAlgorithm.HS256))
//println(JwtUtils.verify(data, JwtBase64.decodeString(signature), JwtUtils.stringify(secret), JwtAlgorithm.HS256))
mock.tearDown()
from jwt-scala.
So I found my way in this F mess ...
Auth0 give us a base64URL
1kHndxh2zXTK701QKx6B_CkzEu-orMR-TpvJXvlrjXg7maLf_1B7yegplt3EW9Mp
You can convert it to a base64
1kHndxh2zXTK701QKx6B/CkzEu+orMR+TpvJXvlrjXg7maLf/1B7yegplt3EW9Mp
And then decode it as a ISO-8859-1 (obviously github utf-8 mess with it, but you can use an online decoder)
ÖAçw�vÍtÊïMP+��ü)3�館Ä~N�É^ùk�x;�¢ßÿP{Éè)�ÝÄ[Ó)
And jwt.io can decode the token
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiTWF0dGhldyBTY2hhcmxleSIsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vLVhkVUlxZE1rQ1dBL0FBQUFBQUFBQUFJL0FBQUFBQUFBQUFBLzQyNTJyc2NidjVNL3Bob3RvLmpwZyIsImVtYWlsIjoibWF0dGhldy5zY2hhcmxleUBlcXVpZW0uY29tLmF1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImFwcF9tZXRhZGF0YSI6eyJhdXRob3JpemF0aW9uIjp7Imdyb3VwcyI6WyJEYXRhYmFzZSBTZXJ2ZXIgQWNjZXNzIl19LCJwZ3BfcHVibGljX2tleXMiOlsiMjU2MTk3RTU5REVBNTY2RjI0MDAyMkQyRUI2MDM3NTM1NDFGREYzRiIsIkZEQjRGNjJFMjM2NzBEQTEwREU4QjdEQTZFRTQ0OTlFNDM1RkE1MkIiXX0sImlzcyI6Imh0dHBzOi8vZXF1aWVtLmF1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDExNTQ2MzM0MDE5ODc5NzI4MDUzNyIsImF1ZCI6ImFMcEdJUFFvRWdhb1N3QlpFTEhwS3Y4aHZySlFYNFRUIiwiZXhwIjoxNDY0MTgwNDA1LCJpYXQiOjE0NjQxNzY4MDV9.pdnRQDlXsa1c9PQGdQONnLZa8pGEZdZFOj-gjXHxF34
with both token.
ps :
- Auth0 use apache common Base64 to encode/decode (in their java implementation)
- https://www.ietf.org/rfc/rfc4648.txt table 1 vs table 2
I will try to write the scala code tomorrow
from jwt-scala.
Or you could have changed JwtUtils.ENCODING to "ISO-8859-1"
from jwt-scala.
Would be awesome to expose the key as Array[Byte] or value class
from jwt-scala.
I tryed with https://github.com/pauldijou/jwt-scala/tree/master/examples/play-angular-standalone with secret in application.conf.
jwt token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIbWFjU0hBMjU2In0.eyJleHAiOjE0NjUyMTA3NTAsInVzZXIiOnsibmFtZSI6ImFkbWluIn19.TM6B5XOkj-m5IDdbfxEEHKwjBBve0OiVfZ7hfGQMgMQ
I used the version "0.5.1" of jwt-play, the last version that support play 2.5.
Have you time to solve this issue in the next days (of version 0.5.1 of jwt-play) with previous hint of @margussipria and @etaty ?
Thanks
from jwt-scala.
For anyone else suffering from a similar issue, you can just pass in properly encoded Secret to bypass the UTF-8 defaulting in JWTUtils:
import javax.crypto.spec.SecretKeySpec
val encodedJwtSecret: String = ConfigFactory.load().getString("jwt.secret")
val jwtSecret = new SecretKeySpec(java.util.Base64.getUrlDecoder().decode(encodedJwtSecret), "HmacSHA256")
JwtJson4s.decodeJson(bearer, jwtSecret, Seq(JwtAlgorithm.HS256)).toOption
from jwt-scala.
Is there any update on this issue?
from jwt-scala.
Any PR is welcome, as always. I gave it a try and couldn't find a solution nice enough. I'm not really doing Scala anymore so, unfortunately, I don't have any plan to try again.
from jwt-scala.
Ah, okay. I'll see if I can spend some time on this.
from jwt-scala.
Related Issues (20)
- Add zio-json usage documentation
- com.fasterxml.jackson.databind.JsonMappingException: Scala module 2.11.4 requires Jackson Databind version >= 2.11.0 and < 2.12.0 HOT 10
- 9.1.1 changelog? HOT 2
- zio-json partially missing in the docs
- com.fasterxml.jackson.databind.JsonMappingException: Scala module 2.11.4 requires Jackson Databind version >= 2.11.0 and < 2.12.0 HOT 2
- Why does JwtCirce.decode lead to java.time.Clock validating the expiration? HOT 3
- [Question] Support for Base64 url encoded keys HOT 1
- [Question] Lookup the algorithm from the token
- fix scala-js build HOT 5
- Ed25519 is not the correct JSON Web Algorithm name
- parseKey does not work with keys stored in AWS secrets manager
- Version 9.4.0 is not compatible with Scala 3.2.2 HOT 6
- New release? HOT 3
- scala.js compatibility
- Incorrect Regex for JTI and ISS
- Play 3.x support for `jwt-play` HOT 2
- Scala3 Support for jwt-play HOT 1
- scala-jwt 9.4.5 contains a major breaking change HOT 1
- com.fasterxml.jackson.databind.JsonMappingException: Scala module 2.14.3 requires Jackson Databind version >= 2.14.0 and < 2.15.0 - Found jackson-databind version 2.15.0 HOT 1
- JWKS? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jwt-scala.