Ocramius
commented
5 months ago I would unlikely ever expect a JWT token to be that short: the signature alone is going to be longer than 35 chars.
Closed scubasoft closed 5 months ago
Ocramius
commented
5 months ago I would unlikely ever expect a JWT token to be that short: the signature alone is going to be longer than 35 chars.
scubasoft
commented
5 months ago Thanks for the quick reply.
The same short header token can be seen at https://jwt.io/, where the red text is the encoded header. 36 characters for RS256.
SvenRtbg
commented
5 months ago There is a misunderstanding of you reading the docs.
There is no such thing as a header token. A JWT consists of header, body and signature, concatenated with dots. If you create a token with only the "alg" info in the header, this part will be short, as it is only converted to JSON, then base64 encoded.
Don't split a JWT into pieces and try to recreate them individually. That's not how this works.
lcobucci
commented
5 months ago If you paste your generated token into jwt.io, you will see the contents used there and the length of each section (as @SvenRtbg explained).
scubasoft
commented
5 months ago Thank you.
I haven’t found any documentation for how to set the signature with this library. Is there any such help anywhere, or do I just have to go through the whole library code and figure things out that way?
From: SvenRtbg @.> Sent: Thursday, 27 June 2024 01:38 To: lcobucci/jwt @.> Cc: scubasoft @.>; Author @.> Subject: Re: [lcobucci/jwt] RS256 appears to give too long tokens (Issue #1066)
There is a misunderstanding of you reading the docs.
There is no such thing as a header token. A JWT consists of header, body and signature, concatenated with dots. If you create a token with only the "alg" info in the header, this part will be short, as it is only converted to JSON, then base64 encoded.
Don't split a JWT into pieces and try to recreate them individually. That's not how this works.
— Reply to this email directly, view it on GitHub https://github.com/lcobucci/jwt/issues/1066#issuecomment-2193793680 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ANJQ6EMHJXLYWNSKHDDZKY3ZJOQL3AVCNFSM6AAAAABJ62XO3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJTG44TGNRYGA . You are receiving this because you authored the thread.Message ID: @.***>
Ocramius
commented
5 months ago I haven’t found any documentation for how to set the signature with this library.
That's done by the library when signing your token.
The produced token is already signed.
scubasoft
commented
5 months ago Many thanks.
That example produces a different token compared to the TokenBuilder example, and looks more correct. I will continue with this.
From: Marco Pivetta @.> Sent: Thursday, 27 June 2024 11:13 To: lcobucci/jwt @.> Cc: scubasoft @.>; Author @.> Subject: Re: [lcobucci/jwt] RS256 appears to give too long tokens (Issue #1066)
I haven’t found any documentation for how to set the signature with this library.
That's done by the library when signing your token.
The produced token is already signed.
— Reply to this email directly, view it on GitHub https://github.com/lcobucci/jwt/issues/1066#issuecomment-2194982304 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ANJQ6ENAWYZXJTDBAFF4YHDZJQTXNAVCNFSM6AAAAABJ62XO3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJUHE4DEMZQGQ . You are receiving this because you authored the thread.Message ID: @.***>
scubasoft
commented
5 months ago Sorry to keep going on this, but when I paste the resulting JWT into http://jwt.io, I get “Invalid Signature”.
I don’t know anywhere else to get help with this..
Thanks again.
From: Marco Pivetta @.> Sent: Thursday, 27 June 2024 11:13 To: lcobucci/jwt @.> Cc: scubasoft @.>; Author @.> Subject: Re: [lcobucci/jwt] RS256 appears to give too long tokens (Issue #1066)
I haven’t found any documentation for how to set the signature with this library.
That's done by the library when signing your token.
The produced token is already signed.
— Reply to this email directly, view it on GitHub https://github.com/lcobucci/jwt/issues/1066#issuecomment-2194982304 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ANJQ6ENAWYZXJTDBAFF4YHDZJQTXNAVCNFSM6AAAAABJ62XO3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJUHE4DEMZQGQ . You are receiving this because you authored the thread.Message ID: @.***>
lcobucci
commented
5 months ago It will give you that because it doesn't know your validation key (public key).
If you want to validate the signature there, you need to select the right algorithm, paste the public key, and then paste the generated token.
scubasoft
commented
5 months ago OK, thank you. I just tried that tool (jwt.io http://jwt.io ) because the Docusign service claimed that my JWT (or parts of it) is invalid.
Do you see anything obviously wrong with the following code?
use DateTimeImmutable;
use Lcobucci\JWT\Token\Builder;
use Lcobucci\JWT\JwtFacade;
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Signer\Rsa\Sha256;
$privateKey = file_get_contents("/path/to/my/docusign/private.key");
$signingKey = InMemory::plainText($privateKey);
$token = (new JwtFacade())->issue(
new Sha256(),
$signingKey,
static fn (
Builder $builder,
DateTimeImmutable $issuedAt
): Builder => $builder
->issuedBy('96bea52d-xxxx-xxxx-xxxx-xxxxb64846f0')
->permittedFor('account.docusign.com')
->issuedAt($issuedAt)
->expiresAt($issuedAt ->modify('+65 minute'))
->withClaim('scope', "signature impersonation"));
Thanks again,
Andreas
On Fri, Jun 28, 2024, 01:34 Luís Cobucci @. @.> > wrote:
It will give you that because it doesn't know your validation key (public key).
If you want to validate the signature there, you need to select the right algorithm, paste the public key, and then paste the generated token.
— Reply to this email directly, view it on GitHub https://github.com/lcobucci/jwt/issues/1066#issuecomment-2196174269 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ANJQ6EKFBDV74BRHOWFZEHLZJTYVDAVCNFSM6AAAAABJ62XO3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJWGE3TIMRWHE . You are receiving this because you authored the thread.Error! Filename not specified.Message ID: @.***>
lcobucci
commented
5 months ago Based on their documentation you are missing the subject claim (user id).
I'd advise you to reach out to them, to verify if there is something else missing.
scubasoft
commented
5 months ago Oh, that's embarrassing. Many thanks for taking the time! Greatly appreciated.
On Fri, Jun 28, 2024, 18:24 Luís Cobucci @.***> wrote:
Based on their documentation you are missing the subject claim (user id).
I'd advise you to reach out to them, to verify if there is something else missing.
— Reply to this email directly, view it on GitHub https://github.com/lcobucci/jwt/issues/1066#issuecomment-2197729480, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANJQ6EOMQZCGI4HV34OWT2TZJXPDDAVCNFSM6AAAAABJ62XO3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJXG4ZDSNBYGA . You are receiving this because you authored the thread.Message ID: @.***>
scubasoft
commented
4 months ago So, I added:
->withClaim('sub', "[theUserID]")
Right after ->withClaim('scope', "signature impersonation"), but I’m getting the error:
Lcobucci\JWT\Token\RegisteredClaimGiven: Builder#withClaim() is meant to be used for non-registered claims, check the documentation on how to set claim "sub" in Lcobucci\JWT\Token\RegisteredClaimGiven::forClaim()
Which unfortunately doesn’t tell me anything.
I think this is why I failed to add the user ID at first, because I didn’t find any documentation on how to do it. How would I add this “sub” claim successfully?
Thank you.
From: Luís Cobucci @.> Sent: Friday, 28 June 2024 18:25 To: lcobucci/jwt @.> Cc: scubasoft @.>; Author @.> Subject: Re: [lcobucci/jwt] RS256 appears to give too long tokens (Issue #1066)
Based on their documentation you are missing the subject claim (user id).
I'd advise you to reach out to them, to verify if there is something else missing.
— Reply to this email directly, view it on GitHub https://github.com/lcobucci/jwt/issues/1066#issuecomment-2197729480 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ANJQ6EOMQZCGI4HV34OWT2TZJXPDDAVCNFSM6AAAAABJ62XO3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJXG4ZDSNBYGA . You are receiving this because you authored the thread.Message ID: @.***>
SvenRtbg
commented
4 months ago Which documentation were you reading? Can you give a link?
scubasoft
commented
4 months ago Before that I was following https://lcobucci-jwt.readthedocs.io/en/stable/issuing-tokens/ , without any luck.
From: SvenRtbg @.> Sent: Sunday, 30 June 2024 17:15 To: lcobucci/jwt @.> Cc: scubasoft @.>; Author @.> Subject: Re: [lcobucci/jwt] RS256 appears to give too long tokens (Issue #1066)
Which documentation were you reading? Can you give a link?
— Reply to this email directly, view it on GitHub https://github.com/lcobucci/jwt/issues/1066#issuecomment-2198759514 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ANJQ6ENAFFVP5FVEHFQFDA3ZKBYM3AVCNFSM6AAAAABJ62XO3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJYG42TSNJRGQ . You are receiving this because you authored the thread.Message ID: @.***>
scubasoft
commented
4 months ago OK, l tried the part from the first example again, with “relatedTo” for the sub-claim, which at least doesn’t throw the same error now.
I will get in touch with the DocuSign support for the remaining errors, which are hopefully related to their service.
Thanks again for your help.
From: SvenRtbg @.> Sent: Sunday, 30 June 2024 17:15 To: lcobucci/jwt @.> Cc: scubasoft @.>; Author @.> Subject: Re: [lcobucci/jwt] RS256 appears to give too long tokens (Issue #1066)
Which documentation were you reading? Can you give a link?
— Reply to this email directly, view it on GitHub https://github.com/lcobucci/jwt/issues/1066#issuecomment-2198759514 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ANJQ6ENAFFVP5FVEHFQFDA3ZKBYM3AVCNFSM6AAAAABJ62XO3WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJYG42TSNJRGQ . You are receiving this because you authored the thread.Message ID: @.***>
I have to create a JWT for DocuSign authentication, per the example in Step 2, here: https://developers.docusign.com/platform/auth/jwt/jwt-get-token/
I have adapted the example from https://lcobucci-jwt.readthedocs.io/en/stable/issuing-tokens/ . Since I have to use RS256, I am using
use Lcobucci\JWT\Signer\Rsa\Sha256;and$algorithm = new Sha256();The "header" token from the DocuSign Step 2 instructions is created by the following:
Now, in the DocuSign instructions, the resulting header token is 35 characters, but my code above produces a token that is 383 characters long. I would very much appreciate some guidance here.
Many thanks.