FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Can't manually verify RS256 JWT

    Scheduled Pinned Locked Moved
    Q&A
    0
    4
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yuji.kosugi
      last edited by yuji.kosugi

      Re: Manually verifying a JWT

      I'm having an issue is similar to the one in the thread above, except that I have no problem manually verifying a JWT signed with the default signing key (HS256), following the instructions in the thread above.

      But if I switch to using RS256, with the following steps:

      1. Go to Edit Application/JWT, and change Access Token signing key to "Auto generate a new key on save..."
      2. Save, and generate a new JWT token
      3. Generate a new JWT
      4. Get the Base64 encoded public key from Settings/Key Master/View/"Access token signing key generated for application foo"
      5. If I paste 3. and 4. into jwt.io it says the signature is invalid.

      If I do the above steps but skip 1. and use the HS256 default signing key the signature is verified without a hitch so I'm not sure what the problem is. I've also verified that the Kid in my JWT header matches the Kid when I view the RSA key in key master.

      Would appreciate any help with this because I'd really like to independently verify JWT without hitting the FusionAuth server, and I also don't want to use the HMAC secret in my app backend.

      (PS this is on FusionAuth 1.29.3; key was generated with Java client 1.29.1)

      1 Reply Last reply Reply Quote 0
      • Y
        yuji.kosugi
        last edited by

        Hmm, oddly enough I can manually verify the JWT using fusionauth-jwt with e.g. new JWTDecoder().decode(accessToken, RSAVerifier.newVerifier(myPublicKey).toString() where myPublicKey is the PEM-encoded key.

        Still not working on jwt.io though whether I use the RSA public key or certificate in Base64 or PEM.

        1 Reply Last reply Reply Quote 0
        • danD
          dan
          last edited by

          Heya @yuji-kosugi

          Are you changing the algorithm on jwt.io? When I look at it, above where I can paste the JWT, I see a spot to change the algorithm (from HS256 to RS256) but I didn't see that in your steps.

          --
          FusionAuth - Auth for devs, built by devs.
          https://fusionauth.io

          1 Reply Last reply Reply Quote 0
          • Y
            yuji.kosugi
            last edited by

            Hi there,

            I was just double-checking this, and the algorithm dropdown doesn't need to be manually set since it automatically changes to the value of the algorithm in the header.

            But while testing this I actually got it to verify; not sure what was different each time since I could have sworn I tried both the public key and the certificate with and without the PEM headers (looks like the PEM headers are definitely necessary), but maybe I was using the wrong key or something.

            Anyway thanks for looking into this!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post