Invalid JWT signature

A Former User

Hi folks,

We use the endpoint /oauth2/token and we receive the tokens. We copy paste the tokens in jwt.io to check signature validity (we also copy paste the secret). Strangely enough

• access_token seems to have an invalid signature
• id_token seems to have a valid signature

Is this normal ? We would like to use the access_token because it contains user roles. The automatic JWT token validation built in Asp.net Core rejects it.

Kind regards

joshua

@lionel-selosse

Thanks for the question!

If you are accessing our token endpoint and asking for a token, and have an invalid signature - there could be a few causes. It may be related to how you are checking the signature. There are a few ways to do this if using a third-party library to validate a signature and there is room for error -- as I have experienced myself

I was able to take the client secret (from the OAuth configuration screen Applications > Your App > OAuth tab) and validate a recently generated access token using the following curl command

curl --request POST \
  --url https://local.fusionauth.io/oauth2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=authorization_code \
  --data client_id=<your_client_id> \
  --data client_secret=<your_secret> \
  --data code=<your_auth_code> \
  --data redirect_uri=http://www.google.com

JWT.io verified the signature as valid:

One thing to confirm is if you are on the latest version of FusionAuth.

Aside from that, please feel free to log an issue below with the details of your bug.

https://github.com/FusionAuth/fusionauth-issues/issues/new/choose

Thanks,
Josh

A Former User

Hi @joshua thanks for the feedback.

Regarding the client secret, the one I use starts with Q9 and ends with dA . It's the one for delta-dev application. Are we using the same ?

I don't understand your remark regarding latest version of FusionAuth. This service is on the cloud right ? You are updating it, no ? It's not on premises AFAIK ? I see in the menu "FusionAuth version 1.28.1" . Is this the latest version ? If not, how should we upgrade ?

If you prefer to create an issue instead of talking on this forum, l can create a ticket.

Thanks

A Former User

Forget my answer above. I just realize we use FusionAuth on premises and not on the cloud. We will see how we can upgrade our old version.

joshua

@lionel-selosse

I don't understand your remark regarding latest version of FusionAuth

This was only to indicate that if you are on an older version of FusionAuth, then the fix might be to upgrade to a newer version, especially if the release notes indicate that a fix may have been implemented.

Thanks,
Josh

joshua

@lionel-selosse

We have a section in our documentation that covers upgrading which you may find helpful as well.

• https://fusionauth.io/docs/v1/tech/admin-guide/upgrade

Thanks,
Josh

A Former User

Thanks @joshua I'll transmit the link to our infra team. Hopefully upgrade will happen soon. Currently we use version 1.28.1, from one year ago. Do you think upgrade could affect JWT signatures ?

neuerloyed

This post is deleted!

larsenlola06

This post is deleted!