php-jwt icon indicating copy to clipboard operation
php-jwt copied to clipboard
verified publisher icon firebase

Signature verification failed' on JWT::decode using JWKs

Open qlixes opened this issue 2 years ago • 2 comments

step reproduce :

    public function decode(string $token)
    {
        // The URI for the JWKS you wish to cache the results from
        $jwksUri = "https://player-auth.services.api.unity.com/.well-known/jwks.json";

        // Create an HTTP client (can be any PSR-7 compatible HTTP client)
        $httpClient = new Client();

        // Create an HTTP request factory (can be any PSR-17 compatible HTTP request factory)
        $httpFactory = new HttpFactory();

        // Create a cache item pool (can be any PSR-6 compatible cache item pool)
        $cacheItemPool = CacheManager::getInstance('files');

        $keySet = new CachedKeySet(
            $jwksUri,
            $httpClient,
            $httpFactory,
            $cacheItemPool,
            null, // $expiresAfter int seconds to set the JWKS to expire
            true  // $rateLimit    true to enable rate limit of 10 RPS on lookup of invalid keys
        );

        return JWT::decode($token, $keySet, ['RS256']);
    }

composer.json :

    "require": {
        "php": "^8.0.2",
        "aws/aws-sdk-php": "^3.234",
        "firebase/php-jwt": "^6.4",
        "guzzlehttp/guzzle": "^7.2",
        "laravel/framework": "^9.19",
        "laravel/sanctum": "^3.0",
        "laravel/tinker": "^2.7",
        "phpfastcache/phpfastcache": "^9.1",
        "predis/predis": "^2.0"
    },

access_token :

eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzpBNTYwOTVEQS0xODJDLTQ1MjMtOUQyNS1DNzlEMzNBNEY5OUIiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiaWRkOmI5ZThkNWRjLWVmNTMtNGU2ZS04YmU2LWEwNDllMjRlNGU5OSIsImVudk5hbWU6cHJvZHVjdGlvbiIsImVudklkOmMxZWYzZmM2LTdhMjktNDUzMy1hNTVjLTI5ZTliOTY0MDA0NCIsInVwaWQ6NTAxZTgyZGYtMDMzNS00YTIzLWI5NzktNGE3NWIyMTJjOTE2Il0sImV4cCI6MTY4MTIwNzI2NywiaWF0IjoxNjgxMjAzNjY3LCJpZGQiOiJiOWU4ZDVkYy1lZjUzLTRlNmUtOGJlNi1hMDQ5ZTI0ZTRlOTkiLCJpc3MiOiJodHRwczovL3BsYXllci1hdXRoLnNlcnZpY2VzLmFwaS51bml0eS5jb20iLCJqdGkiOiJlYTViNDM1OC1mOGM5LTQ3MzMtODYyNi0zYTkzNzBiZGU5ZDgiLCJuYmYiOjE2ODEyMDM2NjcsInByb2plY3RfaWQiOiI1MDFlODJkZi0wMzM1LTRhMjMtYjk3OS00YTc1YjIxMmM5MTYiLCJzaWduX2luX3Byb3ZpZGVyIjoiZ29vZ2xlLXBsYXktZ2FtZXMiLCJzdWIiOiI3bzdqczBzQ0Q3TU9lOG05bGVuOXJ6Q0hLZEY4IiwidG9rZW5fdHlwZSI6ImF1dGhlbnRpY2F0aW9uIiwidmVyc2lvbiI6IjEifQ.Pv4wCuykaxtJLCO2UEFVVt-NTWkaaSJxNcjethqcsEvGy3Yc7n_p6ZJ6I72nZNF4jSX-0tJ9AH2A_Tk1w9RbxABMpt3-O48oxyx5lN6RVV6HO2dejMJbAQDKbJ1rq9XEHQiZe-EZ6ZQwf9dGb0NhkAbalYCMJsi1SdXttcWLb1_SRpgY8syvwwpEXRrlaqEip4jrYmJ

while decoded access_token on https://jwt.io, success showed headers :

{
  "alg": "RS256",
  "kid": "public:A56095DA-182C-4523-9D25-C79D33A4F99B",
  "typ": "JWT"
}

while add laravel Log, it shown empty key, so verify will "false".

Please let me know if I did something wrong. Thank you a lot

qlixes avatar Apr 11 '23 11:04 qlixes

Don't do this in production!

Before the line return false; of ./vendor/firebase/php-jwt/src/JWT.php make these modifications:

                if ($success === 0) {
                    return false;
                    echo('<pre>');  // add this
                    print_r( \openssl_error_string() ); // add this
                    echo('</pre>'); // add this

It returned this:

error:0480006C:PEM routines::no start line

btw I'm using https://login.microsoftonline.com/common/discovery/v2.0/keys as $jwksUri

Kipjr avatar May 05 '23 15:05 Kipjr

@Kipjr thanks for sharing a tip to print the openssl_error_string, I believe it should be empty if openssl_verify succeeds. @qlixes was the above log shared by useful for you? It wasn't clear to me whether you wanted to just show the key in laravel or asking about auth?

vishwarajanand avatar Aug 14 '23 09:08 vishwarajanand