Struggling to make a valid modification to JWT "exp" value

mixelpix · November 14, 2021, 2:08pm

I’m testing things out using cURL with the Zoom API.

When I use JWTs generated on the Zoom App Credentials page, the cURL commands work just fine, e.g. a cURL PATCH command for updating the alternative hosts for a meeting:

curl --request PATCH \
  --url 'https://api.zoom.us/v2/meetings/1234567890' \
  --header 'authorization: Bearer { auth_token } \
  --header 'content-type: application/json' \
  --data-raw '{
    "settings": {
      "alternative_hosts": "name@fake.email;name2@fake.email;name3@fake.email"
    }
  }'

When I paste the JWT token created in the Zoom App Credentials page into JWT.io’s “Encoded” window, then modify the payload by updating the “exp” value in the “Decoded” window, I get the following error using the updated JWT token string:

{"code":124,"message":"The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA256"}

This is the case whether or not I select the “secret base64 encoded” option.

This is also the case whether or not I include "typ": "JWT" in the header object (per the Zoom specs here).

What am I doing wrong and how do I generate a valid JWT with the “exp” value updated through the JWT.io gui?

Apologies for the newB smell. Thanks for your time and consideration!

dan.woda · November 15, 2021, 10:45pm

Hi @mixelpix

Welcome to the Auth0 Community!

You cannot modify an existing token without invalidating the signature. This is the security mechanism that makes JWTs secure.

When the token expires you will typically have to request a new one.

mixelpix · November 16, 2021, 5:41pm

Hi @dan.woda ,
Thanks for the reply… so am I understanding you correctly that if I first create a token which lasts for a week and then create a token which lasts for a day, the first one is invalidated? This seems contradictory to my experience.
What I am trying to do on the JWT.io page is use the gui to generate a new token with a modifiied “exp” value, not manually modify the encoded JWT.
Best

dan.woda · November 16, 2021, 9:49pm

Thanks for the added context, I think I understand what you are trying to do.

No, not quite. Either token should be valid, as long as it is signed with the secret provided by zoom and is still within the exp timeframe.

Are you putting your secret in the input field?

mixelpix · November 17, 2021, 12:19am

@dan.woda oooooooOOOOOOoooooooo!

That would probably help and is a much more secure gui that way

I’m gonna go cURL up in a ball in the corner for awhile until I am less embarrassed to be seen on teh internets.

thanks!!

dan.woda · November 17, 2021, 1:03am

Don’t stress! We all have those days

Topic		Replies	Views
Can't validate JWT token JWT.io jwt , auth0	10	4116	September 14, 2023
Altered JWT Still Validates Get Help jwt	4	3952	March 26, 2019
Access token is not valid within 30 minutes Get Help bug , token-validation	3	5099	February 10, 2020
Invalid Signature JWT.io jwt , invalid-signature	10	2953	June 9, 2023
Jwt.sign within rule generates invalid token frequently Get Help token , jwt	5	6505	March 2, 2018

Struggling to make a valid modification to JWT "exp" value

Related topics