Unable to load JWT: invalid jwt string

[thomasleplus]

Hello,

Sorry I am a complete beginner at Lua so I am probably missing something obvious but I am trying to decode a JWT like this:

jwt_string = 'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJESXl1cmFIN3VUYVpXQ1I4SWRfWHdwd2FaZmFod2I5TDRaRkg1U3VlYmw0In0.eyJleHAiOjE1ODk2NjU4NDAsImlhdCI6MTU4OTY2NTc4MCwiYXV0aF90aW1lIjoxNTg5NjY1NzgwLCJqdGkiOiJiZjlkOTBjYy03YTE4LTQ4MDItOTI3Yi0wNzJlMzExMDc5NjAiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC4xLjEwOjgwODEvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpbIm1hc3Rlci1yZWFsbSIsImFjY291bnQiXSwic3ViIjoiMTM4Yzk0YmMtZTczYi00MGEyLTkzYzUtNTQ3ZjE2MjAwYjAxIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZGVidWdnZXIiLCJub25jZSI6IjEwODRkY2I2NzIzMWY3ZGJmZjE2ODQ3ODE5ZTQ1NDJmIiwic2Vzc2lvbl9zdGF0ZSI6ImNkZTBmYjY2LWE3N2UtNDlmNi04NDZhLWNmZDI5OWJkMTQxYiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiY3JlYXRlLXJlYWxtIiwib2ZmbGluZV9hY2Nlc3MiLCJhZG1pbiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsibWFzdGVyLXJlYWxtIjp7InJvbGVzIjpbInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwidmlldy1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0b20ifQ.N9FkS6AuzxJKoQcE1pk2hwEGZ0IEItQMHviHz0tjdtvcKQuKKtVi8t7RX8asQbKV2byt-D0DmfEHdnlig40HfCmOmZDJa6U1eGHwXmxC-U_AS_5Y5uJu33SPF8mv_PMVqSPvJp_YE8WJeiUgMiPdt5iyE_MYdmDdcvW27hPB93CymwQppLaJERzw4q4lZum0c6aJpwFM42Gkx5e5ZVTO3Du7F0-fbL9yHm_pBB_CZDXztrVfB2kcE517T6ytIN1_PEv8LOXZcjlSKqXiOUSOGmmtGmR5BV8GZO0MGhJIu5gA8-NcI-egWHJB6ZDAuqrJZ5j70mRda8e89tJAi1XBYw'

jwt_object = require('resty.jwt').load_jwt(jwt_string)

json = require('cjson').encode(jwt_object)

ngx.log(ngx.DEBUG, json)

But what I am getting is:

{"valid":false,"reason":"invalid jwt string","verified":false}

When I test the same JWT on https://jwt.io/#debugger-io?token=... it decodes successfully (but they could be using a more lenient parser) and the signature seems valid.

Any idea what the problem could be? I am using v0.2.2 in case it matters.

Cheers,

Tom

[cdbattags]

Hi @thomasleplus, you can't just load without setting the algorithm. Can you potentially edit your post to have multiple lines to be sure I'm reading the code correctly?

[cdbattags]

This package supports many different signatures out of the box like HMAC and different versions of RSA so you have to set them before you can load and verify.

[thomasleplus]

Hi @cdbattags,

First of all thanks for trying to help me. I have reformatted my code example for better readability.

I am not sure I understand your point about setting the algoritm. I thought that JWT header was declaring the algorithm being used. In my example, if I decode the JWT, the header says that the signature algorithm used is RS256 (RSA + SHA-256):

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "DIyuraH7uTaZWCR8Id_XwpwaZfahwb9L4ZFH5Suebl4"
}

Either way I am not trying to validate the token's crypto here. I just want to base64 decode / pretty print the token (for debug log purposes). So maybe I am using the wrong method here, i.e load_jwt()?

Regards,

Tom

[marrobi]

@thomasleplus did you get a solution to this? I hit the same challenge today.

[thomasleplus]

Hi @marrobi, no I have not resolved my issue yet.

[marrobi]

For now I am using resty.openidc and jwt_verify. This seems to wrap load_jwt, and returns the json object I wanted.

[thomasleplus]

Thanks @marrobi, it worked. jwt_verify only gives me the decoded JWT payload, not the header, but I can live with that.