jwt-go icon indicating copy to clipboard operation
jwt-go copied to clipboard

Published 20 hours ago verified publisher icon dgrijalva

Signature is invalid

Open DylanWelgemoed opened this issue 7 years ago • 7 comments

Hi,

I am creating a token with a signing method of HS512 and on jwt.io I get the claims but odly it shows signature is invalid, am I doing something wrong?

token := jwt.New(jwt.SigningMethodHS512)
claims := make(jwt.MapClaims)

claims["sub"] = "5"
claims["name"] = "dylan"

token.Claims = claims
signature := []byte("string")
fmt.Println("signature : ", signature)
tokenString, err := token.SignedString(signature)

The signed string it gives back :

eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiZHlsYW4iLCJzdWIiOiI1In0.MPZSSMaIp7VT60iwiXmKJ9a8aT7RtvOxmjmYTwFL3zIKu1zEsb0F3oXen27oA1LFz_BaigwmBb2PzBFIUok41g

Any help would be appreciated.

DylanWelgemoed avatar Apr 12 '18 11:04 DylanWelgemoed

This has been asked about since issue #202. The package doesn’t include every optional check that jwt.io is looking for.

If it validates on your end, you aren’t doing anything wrong, though you may still want to check the header to ensure HS512 use is being enforced. That might not be an issue anymore however.

umpc avatar Apr 12 '18 11:04 umpc

Any resolution for this? What gotcha did I miss?

ernsheong avatar Aug 04 '18 02:08 ernsheong

The "VERIFY SIGNATURE" of jwt.io is like "your-256-bit-secret" since your signature is set to "string", so it returns invalid. Change

signature := []byte ("string")

to

signature := []byte ("your-256-bit-secret")

that jwt.io will say it is valid

charlesduarte019 avatar Oct 17 '18 19:10 charlesduarte019

Is there some other go jwt library that doesn't have this bug?

@charlesduarte019 I'm guessing the []byte ("string") is just an example and not meant to be the actual secret...

karl-gustav avatar Jul 25 '19 08:07 karl-gustav

Is there some other go jwt library that doesn't have this bug?

@charlesduarte019 I'm guessing the []byte ("string") is just an example and not meant to be the actual secret...

@karl-gustav I dont see this as a bug.

The same key that you use in your code, you should set when you validate in the site. They use any key as example. And your token would be more safe if you define other.

charlesduarte019 avatar Jul 30 '19 16:07 charlesduarte019

Not sure if this is relevant, first time I generate - my validator throws this signature invalid error while on subsequent new tokens - generation and validation just works fine I am running this inside a container - so every-time I restart my container I see this issue

sravyap135 avatar Jun 19 '20 10:06 sravyap135

Not sure if this is relevant, first time I generate - my validator throws this signature invalid error while on subsequent new tokens - generation and validation just works fine I am running this inside a container - so every-time I restart my container I see this issue

Yes! I am seeing this same issue. did you find a resolution @sravyap135 ?

bdspen avatar Feb 26 '21 21:02 bdspen