jwt validate



  • I've been working on jwt validate for some time without success. I tried back in September without luck. I've tried again today, pretty much all day, and without luck.

    I generate a JWT in php and validate it on jwt.io but when I try to recreate it in QT, I really don't get the same result. My jwt is as follows:

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJtaWtlLmdyZWVuaXNoQGFkZGhhcHRpY3MuY29tIiwiZGF0YSI6eyJjaWQiOiI3MDY4NTQ1NDY1Njc2ODY4NDU2OTY4NjU2NjQ1NTM1MjUyNTM0NTU3NTA0OTY2NDU3MDU3NTY3MDU1NjY3MDU1NTU1MDUzNTAiLCJsaWNfaWQiOiJzOXhhbGIiLCJtb2R1bGVzIjoxfSwiZXhwIjoiMjAxOS0wMi0wOVQxMToxODoyNy0wNTowMCIsImlhdCI6IjIwMTgtMDItMDlUMTE6MTg6MjctMDU6MDAiLCJpc3MiOiJBZGQgSGFwdGljcyJ9.bNWCqNRCGMA8ppQLlurNyLHXLnAjx1vz2-zOvSMDiDA
    

    In QT, I have the following code:

        QStringList jwt_elements = jwt.split( "." );    // split by parts
        QString b64Header = jwt_elements.at(0);    // save header
        QString b64Payload = jwt_elements.at(1);   // save payload
        QString b64Signature = jwt_elements.at(2);   // save signature
    
        QString b64message = b64Header + "." + b64Payload;  // reassemble header & payload for verification
    
        QString signature = QString( QMessageAuthenticationCode::hash( b64message.toUtf8(), QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ) );    // generate signature with my secret
        signature.replace( "=", "");
        signature.replace( "+\\", "-_" );
    
        return ! b64Signature.compare( signature );
    

    Unfortunately, the function always returns false. When I debug, the signature I generated looks nothing like the signature that is part of the jwt; it has lots of non-ASCII characters it it.

    Is this not the right way to verify a jwt?



  • Is JWT_SECRET base64?

    P.S.
    Why do you use QStrings instead of QByteArrays? You are just adding useless overhead



  • @VRonin JWT_SECRET is not base64; I've simplified everything as much as possible.
    I started with QByteArray's then switched from QByteArray to QString in case my error is somehow related to that, but it seems not



  • Thanks to an online SH256 encoding & encrypting tool that spits output in various formats, it seems I need to further base64 encode the signature. The code becomes:

    QString signature = QString( QMessageAuthenticationCode::hash( b64message.toUtf8(), QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ) );
        signature.replace( "=", "");
        signature.replace( "+\\", "-_" );
        signature = QString( signature.toUtf8().toBase64() );
    
        return ! b64Signature.compare( signature );
    

    The online tool spits out a result the matches the original signature but my code doesn't. It's close, much closer, but not quite there:

    "bNWC77+977+9Qhjvv70877+977+9C++/ve+/ve+/vcix77+9LnAj77+9W++/ve+/ve+/vc69IwPvv70w"
    

    instead of the correct

    bNWCqNRCGMA8ppQLlurNyLHXLnAjx1vz2-zOvSMDiDA
    


  • So the final correct solution is

        QStringList jwt_elements = jwt.split( "." );
        QByteArray b64Signature = jwt_elements.at(2).toUtf8();
        QByteArray b64message = jwt_elements.at(0).toUtf8() + "." + jwt_elements.at(1).toUtf8();
        QByteArray signature = QMessageAuthenticationCode::hash( b64message, QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ).toBase64();
        signature.replace( "=", "");
        signature.replace( "+\\", "-_" );
    
        return ! b64Signature.operator ==( signature );
    

    So my basic problem was that I wasn't base64 encoding the result of the hash.


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.