Hi. I’m new to JWT and have been generating them with command line after receiving a key pair from a company whose api I need to integrate with. Their requirements for their token signature are specified as RSASHA256(
base64UrlEncode(header) + “.” +
base64UrlEncode(body),
“<your_public_RSA_key>”,
“<your_private_RSA_key>”
). Their docs say they only want the JWT signed with the private key, as seems typical, so my last command line is SIGNATURE=$(openssl dgst -sha256 -sign <(echo -n “${PrivateKey}”) <(echo -n “${HEADER_PAYLOAD}”) | openssl base64 -A | tr -d ‘=’ | tr ‘/+’ ‘_-’ | tr -d ‘\n’ )
(I know -A seems redundant with tr -d ‘=’ but without the tr -d ‘=’ it was including forbidden extra padding in the form of =.) So I generate my token, and paste it in to the debugger to verify it worked, and when I paste in my public key, it says “Signature verified”. The token doesn’t change. I wouldn’t expect it to. Why would it? I go on my merry way, but the api is not happy with this token. After watching their YouTube for the Nth time, I notice they’re pasting the private key into the verifier as well, and then I notice the similarity in requested format on the debugger page, and when I do this, it changes the key. I thought my JWT was what I had originally pasted in, but apparently not, but it’s not just changing the signature part. It’s changing the whole key, so it seems it’s not just “verifying” - it’s adding another level of building to add the public and private key, base64 encoded - header, body, and signature separately, and then re-encrypting, and thus resigning the whole thing with RSASHA256 - is that what’s happening? That new value is the value they want. It seems like a token within a token, and the “verifier” is not just verifying, it’s creating an outer shell and actually building onto the existing token. Can anyone validate this? If that’s what’s happening, I find the label “verify signature” in this context misleading, especially since it can be “verified” with just the public key - without the private key - without changing the original token. Please note that this is not a JWT generated for Okta authentication. I appreciate Okta for hosting this forum. Thanks in advance for any clarification that can be provided.
6 posts - 2 participants
