I’m using jwt.io to verify token generated with com.oauth0:java-jwt:3.13.0 library.
I use this simple example.
One without base64 encoded secret:
And here’s one with base64 secret encoded:
Hare are two simple test cases to check if library creates same tokens:
@Test
public void thisTestIsGreen() {
//given
final var secret = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
final var algorithm = Algorithm.HMAC256(secret);
//when
final var actual = JWT.create()
.withHeader(Map.of("typ", "JWT"))
.withSubject("test")
.sign(algorithm);
//then
Assertions.assertThat(actual).isEqualTo("eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0In0._jqBKSO6Kdps70QxljiaNtoYnwvsjVEZirwfagLRKCI");
}
@Test
public void thisTestIsRed() {
//given
final var secret = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
final var base64EncodedSecret = java.util.Base64.getUrlEncoder().encodeToString(secret.getBytes(StandardCharsets.UTF_8));
final var algorithm = Algorithm.HMAC256(base64EncodedSecret);
//when
final var actual = JWT.create()
.withHeader(Map.of("typ", "JWT"))
.withSubject("test")
.sign(algorithm);
//then
Assertions.assertThat(actual).isEqualTo("eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0In0.ky8r4Cv8VfKUYatR_DUkCNQ50P6oQvpKXRQGuFPWDWA");
}
First test works so the problem is obviously in base64 encoded secret.
Any hints how ‘secret base64 encoded’ checkbox is implemented (I would like to understand what’s the difference between encoded secret in java and the one from jwt.io).
I’ve seen several topics with similar issue, but none actually answers my question.
Also I’ve tried different jwt java libraries (nimbusds-jose-jwt, io.jsonwebtoken) and different implementations of base64 encoder, all with same result.