Token validation with https://jwt.io/#debugger

ms1 · May 17, 2017, 11:22pm

Hello, I have a question.
We have developped for our application our own JWT token creator + parser in Java. We used no lib, but just used the Java SDK and followed the relevant RFC spec or other descriptions found elsewhere.
During development we used the JSON Web Tokens - jwt.io to create tokens and to verify our own generated tokens. All works fine.

Purpose is to validate tokens generated by another party. Now we did first integration tests but found that the other party generates tokens, which our validator regards as invalid. On the other hand JSON Web Tokens - jwt.io accepts these tokens. To us these tokens definitely look like base64 rather than base64URL encoded which in our opinion is not spec conform.
JSON Web Tokens - jwt.io works in two direction. So if afterwards we use the tool to generate the token, it generates a different token, our validator accepts.

Can you tell us a reason why the other party token can be successfully validated with the tool?

ms1 · May 18, 2017, 3:18pm

We analyzed the third party token and the jwt.io validator behaviour:
As assumed the other party uses Base64 rather than Base64URL encoding.
The jwt.io validator obviously uses the received encoded header/payload string to generate the signature to compare with the received signature. According to RFC 7515: JSON Web Signature (JWS), chap. 5.2.8 this is wrong, because the comparison signature must be generated from a new generated header/payload string. If you do this, the Base64URL encoding problem would become obvious, and thus the token validation would fail.