FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. yuji.kosugi
    3. Posts
    Y
    • Profile
    • Following 0
    • Followers 0
    • Topics 1
    • Posts 3
    • Best 0
    • Controversial 0
    • Groups 0

    Posts made by yuji.kosugi

    • RE: Can't manually verify RS256 JWT

      Hi there,

      I was just double-checking this, and the algorithm dropdown doesn't need to be manually set since it automatically changes to the value of the algorithm in the header.

      But while testing this I actually got it to verify; not sure what was different each time since I could have sworn I tried both the public key and the certificate with and without the PEM headers (looks like the PEM headers are definitely necessary), but maybe I was using the wrong key or something.

      Anyway thanks for looking into this!

      posted in Q&A
      Y
      yuji.kosugi
    • RE: Can't manually verify RS256 JWT

      Hmm, oddly enough I can manually verify the JWT using fusionauth-jwt with e.g. new JWTDecoder().decode(accessToken, RSAVerifier.newVerifier(myPublicKey).toString() where myPublicKey is the PEM-encoded key.

      Still not working on jwt.io though whether I use the RSA public key or certificate in Base64 or PEM.

      posted in Q&A
      Y
      yuji.kosugi
    • Can't manually verify RS256 JWT

      Re: Manually verifying a JWT

      I'm having an issue is similar to the one in the thread above, except that I have no problem manually verifying a JWT signed with the default signing key (HS256), following the instructions in the thread above.

      But if I switch to using RS256, with the following steps:

      1. Go to Edit Application/JWT, and change Access Token signing key to "Auto generate a new key on save..."
      2. Save, and generate a new JWT token
      3. Generate a new JWT
      4. Get the Base64 encoded public key from Settings/Key Master/View/"Access token signing key generated for application foo"
      5. If I paste 3. and 4. into jwt.io it says the signature is invalid.

      If I do the above steps but skip 1. and use the HS256 default signing key the signature is verified without a hitch so I'm not sure what the problem is. I've also verified that the Kid in my JWT header matches the Kid when I view the RSA key in key master.

      Would appreciate any help with this because I'd really like to independently verify JWT without hitting the FusionAuth server, and I also don't want to use the HMAC secret in my app backend.

      (PS this is on FusionAuth 1.29.3; key was generated with Java client 1.29.1)

      posted in Q&A
      Y
      yuji.kosugi