We used this link to configure our WebApi to validate our tokens: Auth0 ASP.NET Web API (OWIN) SDK Quickstarts: Authorization
But we noticed something, if we remove part of the signature in the JWT token, the token is not rejected.
Hi @AnthonyDaSilva,
I recommend checking out our Validate Access Tokens documentation on how to validate a JWT Token.
I will mention that if you remove part of the signature in the JWT Token, you should expect an Invalid Signature error.
You can verify this by decoding it on jwt.io.
If you found this post helpful or interesting, please give it a like 
. Your interaction makes a difference. Have a wonderful day! 
Thanks,
Rueben
I’ll look into it thanks.
Shouldn’t the middleware configuration prevent call to go through if the token has been modified?
Hi @AnthonyDaSilva,
Thanks for the reply.
The token is allowed to be modified, like adding custom claims. Could you please clarify if the token you decoded is a JWT and has the correct payload?
Thanks,
Rueben
Hi,
Sorry for the confusion, I meant by modified if someone with ill intention tries to forge a token or something like that.
I removed part of the signature of the token and it worked the same as the full token.
Thanks
Hi @AnthonyDaSilva,
Thanks for following up.
What part of the signature did you remove?
Can you please share the token you generated compared to the modified token? And the exact steps and code you used to perform these steps?
Thanks,
Rueben
Hi,
For example this one:
Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InlsUWJxZ2d4b0pCeTNHTkFqdVNPYiJ9.eyJodHRwczovL2V4YW1wbGUuY29tL2VtYWlsIjoiamFpcm8uc290b0BxdWFsaXRzZXJ2aWNlcy50ZWNoIiwiaXNzIjoiaHR0cHM6Ly9maW5hbWljLmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw2MzExYzQxZjBmMTc2ZDExMTYwOGM5MDMiLCJhdWQiOlsiaHR0cHM6Ly9wcmVwcm9kLmFyYmlvbmFwcC5jb20vV2ViQXRyaXVtLyIsImh0dHBzOi8vZmluYW1pYy5ldS5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNjkyODM2OTgzLCJleHAiOjE2OTI5MjMzODMsImF6cCI6Im5vNnZGNTlaUk5hcGpFUjI0WnVDb2gwNXBhWEM1M0tHIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCJ9.kAtw2CHXSK0P-kNxyEDz_3xFxuEOAvevFjbUYSSQmAPfhn0e16JyCztTFboK-iGigwKKQ6jbpTDPQpb9iv0OlsK1X80ReDAybyfus0q0HQhzc-muU_k_W7mDX_0aFO4_E3LEiIgMxLMmMw7G4xRtq2SDjNF6a52ZKFPcKioYk8CHWumGz_ZR1YhTGLW85nRG_rEjiAlFXS-1s6kCGDo9vdZ1Pb-AQ1S22FDEpbiPc5ZLRz2KYTJmsd_ERYadHV0IvRxdvZEwSSwyNcu-mt9XIICC1Fjv9PfElnvT7yWdmiodrI55TBO-c5zwqZqjY1tqKtp8G-jA1z5qu8tYzU165
I removed any part by hand before using postman to make a call to my APIs and it went through.
1 Like
Hi @AnthonyDaSilva,
Thanks for providing me with an update!
I have just tried decoding your token on jwt.io and found that you have used the HS256 instead of the RS256 as your signing algorithm.
In this situation, this is a totally valid token and can be decoded and used as usual.
Thanks,
Rueben
Hi,
Yes, you can decode it but if you look at the bottom left part, you should have a message ‘Invalid signature’.
Shouldn’t the token be rejected if part of the signature (or any part of the token) is missing or has been altered?
Hi @AnthonyDaSilva,
Thanks for the reply.
As far as I can tell, the token you shared is legitimate even after you have altered the signature. I cannot tell what you have removed/changed in the signature, but when I decode it, it has a valid signature. I have sent you a screenshot of the decoded token in direct messages for your reference.
In this case, can you clarify exactly what steps you took to modify the signature of the token?
Thanks,
Rueben
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.