Signature verification failed' on JWT::decode using JWKs

[qlixes]

step reproduce :

    public function decode(string $token)
    {
        // The URI for the JWKS you wish to cache the results from
        $jwksUri = "https://player-auth.services.api.unity.com/.well-known/jwks.json";

        // Create an HTTP client (can be any PSR-7 compatible HTTP client)
        $httpClient = new Client();

        // Create an HTTP request factory (can be any PSR-17 compatible HTTP request factory)
        $httpFactory = new HttpFactory();

        // Create a cache item pool (can be any PSR-6 compatible cache item pool)
        $cacheItemPool = CacheManager::getInstance('files');

        $keySet = new CachedKeySet(
            $jwksUri,
            $httpClient,
            $httpFactory,
            $cacheItemPool,
            null, // $expiresAfter int seconds to set the JWKS to expire
            true  // $rateLimit    true to enable rate limit of 10 RPS on lookup of invalid keys
        );

        return JWT::decode($token, $keySet, ['RS256']);
    }

composer.json :

    "require": {
        "php": "^8.0.2",
        "aws/aws-sdk-php": "^3.234",
        "firebase/php-jwt": "^6.4",
        "guzzlehttp/guzzle": "^7.2",
        "laravel/framework": "^9.19",
        "laravel/sanctum": "^3.0",
        "laravel/tinker": "^2.7",
        "phpfastcache/phpfastcache": "^9.1",
        "predis/predis": "^2.0"
    },

access_token :

eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzpBNTYwOTVEQS0xODJDLTQ1MjMtOUQyNS1DNzlEMzNBNEY5OUIiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiaWRkOmI5ZThkNWRjLWVmNTMtNGU2ZS04YmU2LWEwNDllMjRlNGU5OSIsImVudk5hbWU6cHJvZHVjdGlvbiIsImVudklkOmMxZWYzZmM2LTdhMjktNDUzMy1hNTVjLTI5ZTliOTY0MDA0NCIsInVwaWQ6NTAxZTgyZGYtMDMzNS00YTIzLWI5NzktNGE3NWIyMTJjOTE2Il0sImV4cCI6MTY4MTIwNzI2NywiaWF0IjoxNjgxMjAzNjY3LCJpZGQiOiJiOWU4ZDVkYy1lZjUzLTRlNmUtOGJlNi1hMDQ5ZTI0ZTRlOTkiLCJpc3MiOiJodHRwczovL3BsYXllci1hdXRoLnNlcnZpY2VzLmFwaS51bml0eS5jb20iLCJqdGkiOiJlYTViNDM1OC1mOGM5LTQ3MzMtODYyNi0zYTkzNzBiZGU5ZDgiLCJuYmYiOjE2ODEyMDM2NjcsInByb2plY3RfaWQiOiI1MDFlODJkZi0wMzM1LTRhMjMtYjk3OS00YTc1YjIxMmM5MTYiLCJzaWduX2luX3Byb3ZpZGVyIjoiZ29vZ2xlLXBsYXktZ2FtZXMiLCJzdWIiOiI3bzdqczBzQ0Q3TU9lOG05bGVuOXJ6Q0hLZEY4IiwidG9rZW5fdHlwZSI6ImF1dGhlbnRpY2F0aW9uIiwidmVyc2lvbiI6IjEifQ.Pv4wCuykaxtJLCO2UEFVVt-NTWkaaSJxNcjethqcsEvGy3Yc7n_p6ZJ6I72nZNF4jSX-0tJ9AH2A_Tk1w9RbxABMpt3-O48oxyx5lN6RVV6HO2dejMJbAQDKbJ1rq9XEHQiZe-EZ6ZQwf9dGb0NhkAbalYCMJsi1SdXttcWLb1_SRpgY8syvwwpEXRrlaqEip4jrYmJ

while decoded access_token on https://jwt.io, success showed headers :

{
  "alg": "RS256",
  "kid": "public:A56095DA-182C-4523-9D25-C79D33A4F99B",
  "typ": "JWT"
}

while add laravel Log, it shown empty key, so verify will "false".

Please let me know if I did something wrong. Thank you a lot

[Kipjr]

Don't do this in production!

Before the line return false; of ./vendor/firebase/php-jwt/src/JWT.php make these modifications:

                if ($success === 0) {
                    return false;
                    echo('<pre>');  // add this
                    print_r( \openssl_error_string() ); // add this
                    echo('</pre>'); // add this

It returned this:

error:0480006C:PEM routines::no start line

btw I'm using https://login.microsoftonline.com/common/discovery/v2.0/keys as $jwksUri

[vishwarajanand]

@Kipjr thanks for sharing a tip to print the openssl_error_string, I believe it should be empty if openssl_verify succeeds. @qlixes was the above log shared by useful for you? It wasn't clear to me whether you wanted to just show the key in laravel or asking about auth?