From what I can understand, it's a straight forward process to validate a JWT
signature. But when I use some online tools to do this for me, it doesn't match. How can I manually validate a JWT
signature without using a JWT library? I'm needing a quick method (using available online tools) to demo how this is done.
I created my JWT
on https://jwt.io/#debugger-io with the below info:
- Algorithm:
HS256
- Secret:
hONPMX3tHWIp9jwLDtoCUwFAtH0RwSK6
- Header:
{ "alg": "HS256", "typ": "JWT" }
- Payload:
{ "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }
- Verify Signature (section):
- Secret value changed to above
- "Checked" secret base64 encoded (whether this is checked or not, still get a different value)
JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.wDQ2mU5n89f2HsHm1dluHGNebbXeNr748yJ9kUNDNCA
Manual JWT
signature verification attempt:
Using a base64UrlEncode calculator (http://www.simplycalc.com/base64url-encode.php or https://www.base64encode.org/)
If I: (Not actual value on sites, modified to show what the tools would ultimately build for me)
base64UrlEncode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9") + "." + base64UrlEncode("eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ")
I get:
ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5.ZXlKemRXSWlPaUl4TWpNME5UWTNPRGt3SWl3aWJtRnRaU0k2SWtwdmFHNGdSRzlsSWl3aWFXRjBJam94TlRFMk1qTTVNREl5ZlE=
NOTE: there's some confusion on my part if I should be encoding the already encoded values, or use the already encoded values as-is.
(i.e. using
base64UrlEncode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9") + "." + base64UrlEncode("eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ")
vs"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ"
).Regardless on which I should do, the end result still doesn't match the signature. I'm leaning towards that I should NOT re-encode the encoded value, whether that's true or not.
Then using a HMAC Generator calculator (https://codebeautify.org/hmac-generator or https://www.freeformatter.com/hmac-generator.html#ad-output)
(Not actual value on sites, modified to show what the tools would ultimately build for me)
HMACSHA256( "ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5.ZXlKemRXSWlPaUl4TWpNME5UWTNPRGt3SWl3aWJtRnRaU0k2SWtwdmFHNGdSRzlsSWl3aWFXRjBJam94TlRFMk1qTTVNREl5ZlE=", "hONPMX3tHWIp9jwLDtoCUwFAtH0RwSK6" )
Which gets me:
a2de322575675ba19ec272e83634755d4c3c2cd74e9e23c8e4c45e1683536e01
And that doesn't match the signature portion of the JWT
:
wDQ2mU5n89f2HsHm1dluHGNebbXeNr748yJ9kUNDNCAM
!= a2de322575675ba19ec272e83634755d4c3c2cd74e9e23c8e4c45e1683536e01
Purpose:
The reason I'm needing to confirm this is to prove the ability to validate that the JWT
hasn't been tampered with, without decoding the JWT
.
My clients web interface doesn't need to decode the JWT
, so there's no need for them to install a jwt package for doing that. They just need to do a simple validation to confirm the JWT
hasn't been tampered with (however unlikely that may be) before they store the JWT
for future API calls.
base64UrlEncode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9")
. The string "eyJh..." is already the result of encoding{"alg":"HS256","typ":"JWT"}
, so to encode it again makes no sense. – jpsbase64UrlEncode
the value already in the JWT, ultimately encoding it twice... though I'm starting to lean towards not needing to encode it the 2nd time. I'll add this note in the question for clarification, thank you. – skplunkerinbase64UrlEncode(header) + "." + base64UrlEncode(payload)
payload and header refer to the readable JSON. – jps