creating JWT with header, payload and signature in java

2
votes

i want to generate a jwt for a given header, payload and a secret key.

my header;

{ "typ": "JWT", "alg": "HS256" }

my payload;

{ "iss": "46181382", "ist": "project", "iat": 1536225835, "exp": 1536226835, "jti": "abcdefghi" }

my secret key; 105446462291847624638651561dfg156148df941819498

here is my java code, it already create an jwt. but i think the secret key is not get included to it. because once i use that jwt for my header in tokbox api call i get the following response.

 {
"code": -1,
"message": "Invalid signature",
"description": "Invalid signature"
}

here is the code;

    byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary("105446462291847624638651561dfg156148df941819498");
    Key signingKey = new SecretKeySpec(apiKeySecretBytes, SignatureAlgorithm.HS256.getJcaName());

    Map map = new HashMap<String,Object>();
    map.put("alg","HS256");
    map.put("typ","JWT");

    String jwt = Jwts.builder()
            .setHeader(map)
            .claim("iss", "46181382")
            .claim("ist", "project")
            .claim("iat", currentTimeSeconds())
            .claim("exp", expireTimeSeconds())
            .claim("jti", "abcdefghi")
            .signWith(SignatureAlgorithm.HS256,signingKey)
            .compact();

currentTimeSeconds() and expireTimeSeconds() are methods written by myself. i am sure there is no issue with them. I am not sure with this .signWith() method.

Could any one please help me.

Thank you.

1
javajwttokbox
check if the secret key is valid for your projectbenjamin c
That doesn't look like a opentok secret, they usually contain letters. Are you just trying to generate an opentok token? There's is a Java SDK to help if so tokbox.com/developer/guides/create-token/java Also don't post any secret keys on StackOverflow, someone could use them.maikthomas
It looks like your expire time is 7 minutes after your issue time. Per the OpenTok docs, the expiration time can be no more than 5 minutes after the issue time. That may be your issue. tokbox.com/blog/…adrice727
@benjaminc yes it is a valid secret key. I want to know whether is this code correct?Dhanushka Sampath
@maikthomas I want to generate the jwt. I have already generated the session id and token. also this is not my real secret key. i just added some numbers.Dhanushka Sampath

1 Answers

0
votes

I found the answer. In the above code the secret key should be given as Base64URL encoded value. it means the first line should change as follows.

byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary("MTA1NDQ2NDYyMjkxODQ3NjI0NjM4NjUxNTYxZGZnMTU2MTQ4ZGY5NDE4MTk0OTg=");