Node-jsonwebtoken: Invalid Signature when verifying JWT with public key

Created on 24 May 2017  路  5Comments  路  Source: auth0/node-jsonwebtoken

Hi all,

I'm trying to verify a ES256 signed JWT with the PEM I created with our Public JWK.

function verifyJWT(req, jwt, err) {
    var token = req.cookies['jsonWebToken'];
    var jwk = { kty: 'EC', crv: 'P-256', x: 'etc...', y: 'etc..' }; // JWK format
    var pem = jwkToPem(jwk);   

// pem format is:
//-----BEGIN PUBLIC KEY-----
//KEY
//-----END PUBLIC KEY-----

    jwt.verify(token, pem, { algorithms: ['ES256'] }, function(err, decodedToken) {
        if (err) {
            console.log('Error:', '\n', err, '\n');
        }
        console.log('Decoded/Verified JSON Token:', '\n', decodedToken); // bar
    });
}

I receive the following error:

JsonWebTokenError: invalid signature

I've done a lot of reading but I can't seem to find any help.

I don't create the JWTs as they are signed by our PingFederate server in another process. I'm just trying to consume the JWT and verify it's validity.

Most helpful comment

Hi there,

I have also stumbled across the same problem. This is basically the code:
` const jwtToken = req.headers['x-jwt-assertion'].replace(/+/g, '-').replace(/\//g, '_').replace(/=/g, '');
const jwtKey = { kty: 'EC', crv: 'P-256', x: 'etc...', y: 'etc..' };
const pem = jwkToPem(jwtKey);

const verifiedToken = jwt.verify(jwtToken, pem);`

And I get the 'JsonWebTokenError: invalid signature'.

How did you fix this? I tried jwt.verify(jwtToken.toString(), pem) but did not work

All 5 comments

So I tweaked my code a bit.

var token = req.cookies['jsonWebToken'];
var jwk = { kty: 'EC', crv: 'P-256', x: 'etc...', y: 'etc..' }; // JWK format
var pem = jwkToPem(jwk);   

var certBuf = Buffer.from(cert, 'base64');

jwt.verify(token, certBuf, { algorithms: ['ES256'] }, function(err, decodedToken) {
    if (err) {
        console.log('Error:', '\n', err, '\n');
    }
    console.log('Decoded/Verified JSON Token:', '\n', decodedToken); // bar
});


Receiving this error now:

Error: PEM_read_bio_PUBKEY failed
at Error (native)

Got it to successfully verify.

JWT must be cast .toString();

Everything else is working fine.

Thanks

Hi there,

I have also stumbled across the same problem. This is basically the code:
` const jwtToken = req.headers['x-jwt-assertion'].replace(/+/g, '-').replace(/\//g, '_').replace(/=/g, '');
const jwtKey = { kty: 'EC', crv: 'P-256', x: 'etc...', y: 'etc..' };
const pem = jwkToPem(jwtKey);

const verifiedToken = jwt.verify(jwtToken, pem);`

And I get the 'JsonWebTokenError: invalid signature'.

How did you fix this? I tried jwt.verify(jwtToken.toString(), pem) but did not work

Can you confirm that the code retrieving the JWT gets the whole cookie?

Also, can you confirm that the public key you have labeled as a constant is in fact the valid signing key for the JWT you retrieved?

In my case, my environment has a JWKS endpoint that rotates signing and public keys accordingly. So you may have to grab the latest public key to verify your JWT against.

Also. I recommend using cookie-parser for retrieving the JWT. No need to write all that regex.

try this one

module.exports={
    async isAuthetication(token){
        console.log('user data value',token)
        return await jwt.verify(token, 'token');
    }
}
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rockchalkwushock picture rockchalkwushock  路  4Comments

Sir-hennihau picture Sir-hennihau  路  4Comments

salali picture salali  路  5Comments

ngminhduong picture ngminhduong  路  3Comments

svnty picture svnty  路  3Comments