jwt validate

  • I've been working on jwt validate for some time without success. I tried back in September without luck. I've tried again today, pretty much all day, and without luck.

    I generate a JWT in php and validate it on jwt.io but when I try to recreate it in QT, I really don't get the same result. My jwt is as follows:


    In QT, I have the following code:

        QStringList jwt_elements = jwt.split( "." );    // split by parts
        QString b64Header = jwt_elements.at(0);    // save header
        QString b64Payload = jwt_elements.at(1);   // save payload
        QString b64Signature = jwt_elements.at(2);   // save signature
        QString b64message = b64Header + "." + b64Payload;  // reassemble header & payload for verification
        QString signature = QString( QMessageAuthenticationCode::hash( b64message.toUtf8(), QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ) );    // generate signature with my secret
        signature.replace( "=", "");
        signature.replace( "+\\", "-_" );
        return ! b64Signature.compare( signature );

    Unfortunately, the function always returns false. When I debug, the signature I generated looks nothing like the signature that is part of the jwt; it has lots of non-ASCII characters it it.

    Is this not the right way to verify a jwt?

  • Is JWT_SECRET base64?

    Why do you use QStrings instead of QByteArrays? You are just adding useless overhead

  • @VRonin JWT_SECRET is not base64; I've simplified everything as much as possible.
    I started with QByteArray's then switched from QByteArray to QString in case my error is somehow related to that, but it seems not

  • Thanks to an online SH256 encoding & encrypting tool that spits output in various formats, it seems I need to further base64 encode the signature. The code becomes:

    QString signature = QString( QMessageAuthenticationCode::hash( b64message.toUtf8(), QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ) );
        signature.replace( "=", "");
        signature.replace( "+\\", "-_" );
        signature = QString( signature.toUtf8().toBase64() );
        return ! b64Signature.compare( signature );

    The online tool spits out a result the matches the original signature but my code doesn't. It's close, much closer, but not quite there:


    instead of the correct


  • So the final correct solution is

        QStringList jwt_elements = jwt.split( "." );
        QByteArray b64Signature = jwt_elements.at(2).toUtf8();
        QByteArray b64message = jwt_elements.at(0).toUtf8() + "." + jwt_elements.at(1).toUtf8();
        QByteArray signature = QMessageAuthenticationCode::hash( b64message, QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ).toBase64();
        signature.replace( "=", "");
        signature.replace( "+\\", "-_" );
        return ! b64Signature.operator ==( signature );

    So my basic problem was that I wasn't base64 encoding the result of the hash.

Log in to reply

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.