Hi all,
I'm trying to verify a ES256 signed JWT with the PEM I created with our Public JWK.
function verifyJWT(req, jwt, err) {
var token = req.cookies['jsonWebToken'];
var jwk = { kty: 'EC', crv: 'P-256', x: 'etc...', y: 'etc..' }; // JWK format
var pem = jwkToPem(jwk);
// pem format is:
//-----BEGIN PUBLIC KEY-----
//KEY
//-----END PUBLIC KEY-----
jwt.verify(token, pem, { algorithms: ['ES256'] }, function(err, decodedToken) {
if (err) {
console.log('Error:', '\n', err, '\n');
}
console.log('Decoded/Verified JSON Token:', '\n', decodedToken); // bar
});
}
I receive the following error:
JsonWebTokenError: invalid signature
I've done a lot of reading but I can't seem to find any help.
I don't create the JWTs as they are signed by our PingFederate server in another process. I'm just trying to consume the JWT and verify it's validity.
So I tweaked my code a bit.
var token = req.cookies['jsonWebToken'];
var jwk = { kty: 'EC', crv: 'P-256', x: 'etc...', y: 'etc..' }; // JWK format
var pem = jwkToPem(jwk);
var certBuf = Buffer.from(cert, 'base64');
jwt.verify(token, certBuf, { algorithms: ['ES256'] }, function(err, decodedToken) {
if (err) {
console.log('Error:', '\n', err, '\n');
}
console.log('Decoded/Verified JSON Token:', '\n', decodedToken); // bar
});
Receiving this error now:
Error: PEM_read_bio_PUBKEY failed
at Error (native)
Got it to successfully verify.
JWT must be cast .toString();
Everything else is working fine.
Thanks
Hi there,
I have also stumbled across the same problem. This is basically the code:
` const jwtToken = req.headers['x-jwt-assertion'].replace(/+/g, '-').replace(/\//g, '_').replace(/=/g, '');
const jwtKey = { kty: 'EC', crv: 'P-256', x: 'etc...', y: 'etc..' };
const pem = jwkToPem(jwtKey);
const verifiedToken = jwt.verify(jwtToken, pem);`
And I get the 'JsonWebTokenError: invalid signature'.
How did you fix this? I tried jwt.verify(jwtToken.toString(), pem) but did not work
Can you confirm that the code retrieving the JWT gets the whole cookie?
Also, can you confirm that the public key you have labeled as a constant is in fact the valid signing key for the JWT you retrieved?
In my case, my environment has a JWKS endpoint that rotates signing and public keys accordingly. So you may have to grab the latest public key to verify your JWT against.
Also. I recommend using cookie-parser for retrieving the JWT. No need to write all that regex.
try this one
module.exports={
async isAuthetication(token){
console.log('user data value',token)
return await jwt.verify(token, 'token');
}
}
Most helpful comment
Hi there,
I have also stumbled across the same problem. This is basically the code:
` const jwtToken = req.headers['x-jwt-assertion'].replace(/+/g, '-').replace(/\//g, '_').replace(/=/g, '');
const jwtKey = { kty: 'EC', crv: 'P-256', x: 'etc...', y: 'etc..' };
const pem = jwkToPem(jwtKey);
And I get the 'JsonWebTokenError: invalid signature'.
How did you fix this? I tried
jwt.verify(jwtToken.toString(), pem)but did not work