Solved jwt validate
-
I've been working on jwt validate for some time without success. I tried back in September without luck. I've tried again today, pretty much all day, and without luck.
I generate a JWT in php and validate it on jwt.io but when I try to recreate it in QT, I really don't get the same result. My jwt is as follows:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJtaWtlLmdyZWVuaXNoQGFkZGhhcHRpY3MuY29tIiwiZGF0YSI6eyJjaWQiOiI3MDY4NTQ1NDY1Njc2ODY4NDU2OTY4NjU2NjQ1NTM1MjUyNTM0NTU3NTA0OTY2NDU3MDU3NTY3MDU1NjY3MDU1NTU1MDUzNTAiLCJsaWNfaWQiOiJzOXhhbGIiLCJtb2R1bGVzIjoxfSwiZXhwIjoiMjAxOS0wMi0wOVQxMToxODoyNy0wNTowMCIsImlhdCI6IjIwMTgtMDItMDlUMTE6MTg6MjctMDU6MDAiLCJpc3MiOiJBZGQgSGFwdGljcyJ9.bNWCqNRCGMA8ppQLlurNyLHXLnAjx1vz2-zOvSMDiDA
In QT, I have the following code:
QStringList jwt_elements = jwt.split( "." ); // split by parts QString b64Header = jwt_elements.at(0); // save header QString b64Payload = jwt_elements.at(1); // save payload QString b64Signature = jwt_elements.at(2); // save signature QString b64message = b64Header + "." + b64Payload; // reassemble header & payload for verification QString signature = QString( QMessageAuthenticationCode::hash( b64message.toUtf8(), QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ) ); // generate signature with my secret signature.replace( "=", ""); signature.replace( "+\\", "-_" ); return ! b64Signature.compare( signature );
Unfortunately, the function always returns false. When I debug, the signature I generated looks nothing like the signature that is part of the jwt; it has lots of non-ASCII characters it it.
Is this not the right way to verify a jwt?
-
Is
JWT_SECRET
base64?P.S.
Why do you useQString
s instead ofQByteArray
s? You are just adding useless overhead -
@VRonin JWT_SECRET is not base64; I've simplified everything as much as possible.
I started with QByteArray's then switched from QByteArray to QString in case my error is somehow related to that, but it seems not -
Thanks to an online SH256 encoding & encrypting tool that spits output in various formats, it seems I need to further base64 encode the signature. The code becomes:
QString signature = QString( QMessageAuthenticationCode::hash( b64message.toUtf8(), QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ) ); signature.replace( "=", ""); signature.replace( "+\\", "-_" ); signature = QString( signature.toUtf8().toBase64() ); return ! b64Signature.compare( signature );
The online tool spits out a result the matches the original signature but my code doesn't. It's close, much closer, but not quite there:
"bNWC77+977+9Qhjvv70877+977+9C++/ve+/ve+/vcix77+9LnAj77+9W++/ve+/ve+/vc69IwPvv70w"
instead of the correct
bNWCqNRCGMA8ppQLlurNyLHXLnAjx1vz2-zOvSMDiDA
-
So the final correct solution is
QStringList jwt_elements = jwt.split( "." ); QByteArray b64Signature = jwt_elements.at(2).toUtf8(); QByteArray b64message = jwt_elements.at(0).toUtf8() + "." + jwt_elements.at(1).toUtf8(); QByteArray signature = QMessageAuthenticationCode::hash( b64message, QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ).toBase64(); signature.replace( "=", ""); signature.replace( "+\\", "-_" ); return ! b64Signature.operator ==( signature );
So my basic problem was that I wasn't base64 encoding the result of the hash.