Invalid Token in JWT.io

I am using Auth0 with Flutter, I just downloaded the sample, I changed the schema to demo
so the callback URL is
demo://ekitabu.eu.auth0.com/android/com.auth0.sample/callback

I am using an audience from an API that I created in the App that uses RS256 encryption algorithm

I was able to login and logout using the sample App.
but if I take the token to JWT.io site, it always gives me an invalid signature

The problem is that this App will communicate with another web app so when I send the token to it, it says that the token has invalid signature. and If I take the token from the website header to JWT.io it can validate the signature there. so there is something wrong with the flutter sample that generates an invalid signature.

anyone can point me to where to look at and if I need to provide more information for some help

Thanks

Hey there @muhannadnaser !

That’s good to know! :slight_smile:

It sounds like you might be missing an audience - You can add it like so:

final credentials = await auth0
    .webAuthentication()
    .login(audience: 'YOUR_AUTH0_API_IDENTIFIER');

The following FAQ may be helpful as well:

Keep us posted!

1 Like

Thanks for the Reply, I already have an audience in the system, and I am getting the correct token, and When I try to validate the token on jwt.io, the site lists the correct data and values but still the site says that the token has an invalid signature. I made sure that the algorithm being used is RS256 in both the API (used as the audience) and the project that I got the client Id from.

The weird thing is that, we used the APP and API to configure a kotlin project and we got a valid token.

Hey @muhannadnaser no worries, happy to help!

Thanks for confirming!

That is very weird - I just tested using the Flutter sample and am getting a token back with a valid signature :thinking: This is all I am doing:

Future<void> login() async {
    try {
      if (kIsWeb) {
        return auth0Web.loginWithRedirect(redirectUrl: 'http://localhost:3000');
      }

      var credentials = await auth0
          .webAuthentication(scheme: dotenv.env['AUTH0_CUSTOM_SCHEME'])
          .login(audience: dotenv.env['AUTH0_AUDIENCE']);

      setState(() {
        _user = credentials.user;
        print(credentials.accessToken);
      });
    } catch (e) {
      print(e);
    }
  }

Sounds silly, but it might be worth just deleting/re-downloading the sample and starting from scratch. Unfortunately it seems like there could be a misconfiguration somewhere in the sample app specifically given the client id and API identifier are working elsewhere :confused:

Keep us posted!

Thanks for the reply, I have confirmed something, when I use the default audience, I get a valid token with minimum info in the audience. but when I try using any of my APIs identifier as audience to get a more meaningful JWT token, the token becomes invalid.

is there any relation between the App and the audience, what I understand, if multiple apps wants to use the same token, like a mobile and a web connected to the same backend, then I will have two APPs (native and web) but they are connected to the same API (audience) and this is what I am trying to achieve.

Thanks for the help

Thanks for the help, it really was a silly problem but it took me more than 3 days and the support from Auth0 to figure it out.
it is a limitation from Flutter, the print function only prints up to 1024 character, so when I use a simple audience and the token is small, then it will be valid because the print function will print the full token. But when I use a more complicated audience to include more data, the token becomes more than 1024 characters and the print function will truncate it without saying anything so the token becomes invalid

1 Like

Ahhh @muhannadnaser wow, good to know! That’s a tricky one :grimacing: Hopefully this helps others using Flutter in the future though!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.