Verify JWT token with Certificate

Question

Verify JWT token with Certificate

XM37 opened this issue 5 years ago · comments

Hello,

is it possible to verify the JWT token with a certificate? I tried it with following code line:

auto dec_obj = jwt::decode(token, jwt::params::algorithms({"rs256"}), jwt::params::aud(audience), jwt::params::secret(key), jwt::params::verify(true));

but i get the following exception:
verification failed

What is wrong? How can i verify the signature with using a certificate

Arun Muralidharan · Answer 1 · Sun Apr 07 2019 19:04:59 GMT+0800 (China Standard Time)

Hello,
Can you post a complete example reproducing the issue ?

Thanks

XM37 · Answer 2 · Mon Apr 08 2019 17:31:19 GMT+0800 (China Standard Time)

yes of course:

auto key = read_from_file("/home/dev.cer");
auto audience = "https://dev-py4fdrqn.eu.auth0.com/api/v2/";

auto dec_obj = jwt::decode(token, jwt::params::algorithms({"rs256"}), jwt::params::aud(audience), jwt::params::secret(key), jwt::params::verify(true));

This is the JWT Token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlFVSXhNMFV3UVVZek5EVTROVFZHTkRneFJEUTVNVEZEUlVORk9EWTJRVEkzT1RBeE1rVXhNQSJ9.eyJpc3MiOiJodHRwczovL2Rldi1weTRmZHJxbi5ldS5hdXRoMC5jb20vIiwic3ViIjoiaHkwR0N2b3lCMGlTZXpQemc4UFQ2ZUNFeEs2TmVPRldAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vZGV2LXB5NGZkcnFuLmV1LmF1dGgwLmNvbS9hcGkvdjIvIiwiaWF0IjoxNTU0NzE1NzM1LCJleHAiOjE1NTQ3OTYxMzUsImF6cCI6Imh5MEdDdm95QjBpU2V6UHpnOFBUNmVDRXhLNk5lT0ZXIiwic2NvcGUiOiJyZWFkOmNsaWVudF9ncmFudHMgY3JlYXRlOmNsaWVudF9ncmFudHMgZGVsZXRlOmNsaWVudF9ncmFudHMgdXBkYXRlOmNsaWVudF9ncmFudHMgcmVhZDp1c2VycyB1cGRhdGU6dXNlcnMgZGVsZXRlOnVzZXJzIGNyZWF0ZTp1c2VycyByZWFkOnVzZXJzX2FwcF9tZXRhZGF0YSB1cGRhdGU6dXNlcnNfYXBwX21ldGFkYXRhIGRlbGV0ZTp1c2Vyc19hcHBfbWV0YWRhdGEgY3JlYXRlOnVzZXJzX2FwcF9tZXRhZGF0YSBjcmVhdGU6dXNlcl90aWNrZXRzIHJlYWQ6Y2xpZW50cyB1cGRhdGU6Y2xpZW50cyBkZWxldGU6Y2xpZW50cyBjcmVhdGU6Y2xpZW50cyByZWFkOmNsaWVudF9rZXlzIHVwZGF0ZTpjbGllbnRfa2V5cyBkZWxldGU6Y2xpZW50X2tleXMgY3JlYXRlOmNsaWVudF9rZXlzIHJlYWQ6Y29ubmVjdGlvbnMgdXBkYXRlOmNvbm5lY3Rpb25zIGRlbGV0ZTpjb25uZWN0aW9ucyBjcmVhdGU6Y29ubmVjdGlvbnMgcmVhZDpyZXNvdXJjZV9zZXJ2ZXJzIHVwZGF0ZTpyZXNvdXJjZV9zZXJ2ZXJzIGRlbGV0ZTpyZXNvdXJjZV9zZXJ2ZXJzIGNyZWF0ZTpyZXNvdXJjZV9zZXJ2ZXJzIHJlYWQ6ZGV2aWNlX2NyZWRlbnRpYWxzIHVwZGF0ZTpkZXZpY2VfY3JlZGVudGlhbHMgZGVsZXRlOmRldmljZV9jcmVkZW50aWFscyBjcmVhdGU6ZGV2aWNlX2NyZWRlbnRpYWxzIHJlYWQ6cnVsZXMgdXBkYXRlOnJ1bGVzIGRlbGV0ZTpydWxlcyBjcmVhdGU6cnVsZXMgcmVhZDpydWxlc19jb25maWdzIHVwZGF0ZTpydWxlc19jb25maWdzIGRlbGV0ZTpydWxlc19jb25maWdzIHJlYWQ6ZW1haWxfcHJvdmlkZXIgdXBkYXRlOmVtYWlsX3Byb3ZpZGVyIGRlbGV0ZTplbWFpbF9wcm92aWRlciBjcmVhdGU6ZW1haWxfcHJvdmlkZXIgYmxhY2tsaXN0OnRva2VucyByZWFkOnN0YXRzIHJlYWQ6dGVuYW50X3NldHRpbmdzIHVwZGF0ZTp0ZW5hbnRfc2V0dGluZ3MgcmVhZDpsb2dzIHJlYWQ6c2hpZWxkcyBjcmVhdGU6c2hpZWxkcyBkZWxldGU6c2hpZWxkcyByZWFkOmFub21hbHlfYmxvY2tzIGRlbGV0ZTphbm9tYWx5X2Jsb2NrcyB1cGRhdGU6dHJpZ2dlcnMgcmVhZDp0cmlnZ2VycyByZWFkOmdyYW50cyBkZWxldGU6Z3JhbnRzIHJlYWQ6Z3VhcmRpYW5fZmFjdG9ycyB1cGRhdGU6Z3VhcmRpYW5fZmFjdG9ycyByZWFkOmd1YXJkaWFuX2Vucm9sbG1lbnRzIGRlbGV0ZTpndWFyZGlhbl9lbnJvbGxtZW50cyBjcmVhdGU6Z3VhcmRpYW5fZW5yb2xsbWVudF90aWNrZXRzIHJlYWQ6dXNlcl9pZHBfdG9rZW5zIGNyZWF0ZTpwYXNzd29yZHNfY2hlY2tpbmdfam9iIGRlbGV0ZTpwYXNzd29yZHNfY2hlY2tpbmdfam9iIHJlYWQ6Y3VzdG9tX2RvbWFpbnMgZGVsZXRlOmN1c3RvbV9kb21haW5zIGNyZWF0ZTpjdXN0b21fZG9tYWlucyByZWFkOmVtYWlsX3RlbXBsYXRlcyBjcmVhdGU6ZW1haWxfdGVtcGxhdGVzIHVwZGF0ZTplbWFpbF90ZW1wbGF0ZXMgcmVhZDptZmFfcG9saWNpZXMgdXBkYXRlOm1mYV9wb2xpY2llcyByZWFkOnJvbGVzIGNyZWF0ZTpyb2xlcyBkZWxldGU6cm9sZXMgdXBkYXRlOnJvbGVzIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.pGfCyHRJbIvwm8orEwl4LPXdti_12IXycUK9u6AQX_8Lgf4CeawkwHB_HfqWlOKPBXmiLr3j0bPOnzMJlaKyw2e7L3-t3jerxRBlV0Cyv4iSwITJFefrlWRwuXJEcOQ3zoRk1Ump7muIli6hk8eGcUvQUFY0UGEhDzokPoZ2Y6BWgWhO6ucKjfVaBqhaN2lGgJ17pkHKNB5tklpid3Il1EIG3d1i0Q5B890PCyhzxx2jcmZOBNJ4rLZEv-hIQQ_cXfP3neMRYiDapTvNwCAs26h7s5TupFL6zi6q6U3ljZtWf9qCsE4j0awRF5xpIx1Jhtj4UzpXLdcaoKz_-b_xLw

And this is the certificate:

-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIJfY/8dwGq2Hy4MA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNV
BAMTGWRldi1weTRmZHJxbi5ldS5hdXRoMC5jb20wHhcNMTkwMzI5MTQxNTI3WhcN
MzIxMjA1MTQxNTI3WjAkMSIwIAYDVQQDExlkZXYtcHk0ZmRycW4uZXUuYXV0aDAu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuguQJElINdbXA8Dn
S2w03cQN9xWMsUehZndAM5g53bTChQPaGf851dHZ4+F8ljXdu4kuiRUO69w8Oe3O
cEsCd5HVEsDtTVD5YZoJpys2GuJy6euFUYLxHvdbHJgidc5JmdRP8QTxwgec+kBt
4e8lIm1RcFe5iCLxTRhZC416xDFfNTJkMW8VmSCk0MxhJmxl0Ow6NAvPeSLgIWQS
7aU6Y5fSdUpMjyD+EPfN6OOgYMGo7AgPsJ4yMDRTQAuMOyGzbsip6QJvRzvewMV8
aDWKqbJbQoyyNdkuhm5BZm/Bj/hArldWBU6VS4ZgtsIshFiuv+65ohirMstV1hXU
7zAisQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTg4bpRRiF7
eOw/svOGRtnTW5flhzAOBgNVHQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADggEB
AB98aje6ryqjP+AJZ4IvHTNRUgo8t+kgNa/RbEUFnlQLYvUV+gMerBMF7iJzUBdo
s0VVc5OITD57/uyiNlmI47YRy6kljzFZC/Dlx1r9iTi9ES5vtsp+o+/Y8nr+0XLL
vlTTPqJfFo0JMw2OIudNS28Qiz9uPf7RLM80tsMkYBTfCuoukefktSkAYpOuvmUP
C92eV4C/I49gA9dZglYV0Xj6T5wigACzgfEArsja4OSDnmkOECEE3WM5RfGmRL+/
GDm79VPB7a3wqMhozC3qLuOHOmVl6tV/nG+o28u3rvcUydVx0y+4OHDJQvtBgkKX
WhIugkp3a81Oy0xHM1aa4zo=
-----END CERTIFICATE-----

Arun Muralidharan · Answer 3 · Tue Apr 09 2019 16:07:18 GMT+0800 (China Standard Time)

Thanks.
I am getting below failure reason:
C++ exception with description "token expired" thrown in the test body.

There are the header and payload with verification turned off:

{"alg":"RS256","kid":"QUIxM0UwQUYzNDU4NTVGNDgxRDQ5MTFDRUNFODY2QTI3OTAxMkUxMA","typ":"JWT"}
{"aud":"https://dev-py4fdrqn.eu.auth0.com/api/v2/","azp":"hy0GCvoyB0iSezPzg8PT6eCExK6NeOFW","exp":1554796135,"gty":"client-credentials","iat":1554715735,"iss":"https://dev-py4fdrqn.eu.auth0.com/","scope":"read:client_grants create:client_grants delete:client_grants update:client_grants read:users update:users delete:users create:users read:users_app_metadata update:users_app_metadata delete:users_app_metadata create:users_app_metadata create:user_tickets read:clients update:clients delete:clients create:clients read:client_keys update:client_keys delete:client_keys create:client_keys read:connections update:connections delete:connections create:connections read:resource_servers update:resource_servers delete:resource_servers create:resource_servers read:device_credentials update:device_credentials delete:device_credentials create:device_credentials read:rules update:rules delete:rules create:rules read:rules_configs update:rules_configs delete:rules_configs read:email_provider update:email_provider delete:email_provider create:email_provider blacklist:tokens read:stats read:tenant_settings update:tenant_settings read:logs read:shields create:shields delete:shields read:anomaly_blocks delete:anomaly_blocks update:triggers read:triggers read:grants delete:grants read:guardian_factors update:guardian_factors read:guardian_enrollments delete:guardian_enrollments create:guardian_enrollment_tickets read:user_idp_tokens create:passwords_checking_job delete:passwords_checking_job read:custom_domains delete:custom_domains create:custom_domains read:email_templates create:email_templates update:email_templates read:mfa_policies update:mfa_policies read:roles create:roles delete:roles update:roles","sub":"hy0GCvoyB0iSezPzg8PT6eCExK6NeOFW@clients"}

Arun Muralidharan · Answer 4 · Tue Apr 09 2019 16:07:37 GMT+0800 (China Standard Time)

Would it be possible to share the private key as well ?

XM37 · Answer 5 · Thu Apr 11 2019 16:00:56 GMT+0800 (China Standard Time)

I don't have any private key. Its a third-party app.
So I found a solution: I must extract the public key from the certificate and than it works!