1
I am trying to manually generate JWT in Java without using libs, but the returned JWT is not being validated by the web application https://jwt.io/.
public String authenticateUser(String body) {
try {
String key = "teste-de-chave-hahaha";
String header;
String payload;
String signature;
//#################################
HashMap<String, String> hashHeader = new HashMap<String, String>();
hashHeader.put("typ", "JWT");
hashHeader.put("alg", "HS256");
System.out.println("hashHeader = " + hashHeader);
JSONObject json = new JSONObject(hashHeader);
System.out.println("hashHeader json = " + json);
header = this.getBase64Parsed(json.toString());
System.out.println("hashHeader json Base64 = " + header);
//#################################
HashMap<String, String> hashPayload = new HashMap<String, String>();
hashPayload.put("iss", "sct.infogruposi.com");
hashPayload.put("username", "brunokchimbo");
hashPayload.put("email", "[email protected]");
hashPayload.put("acl", "Administrador");
System.out.println("hashPayload = " + hashPayload);
json = new JSONObject(hashPayload);
System.out.println("hashPayload json = " + json);
payload = this.getBase64Parsed(json.toString());
System.out.println("hashPayload json Base64 = " + payload);
//#################################
String token = header + "." + payload;
String chave = this.getHmacSHA256Encrypted(token, key);
System.out.println("signature hashHmacSHA256 = " + chave);
signature = this.getBase64Parsed(chave);
System.out.println("signature hashHmacSHA256 Base64 = " + signature);
//#################################
token = token + "." + signature;
System.out.println("token completo = " + token);
return token;
} catch(Exception ex) {
ex.printStackTrace();
} finally {
return Response.status(Response.Status.FORBIDDEN).build().toString();
}
}
public String getHmacSHA256Encrypted(String value, String key) {
return HmacUtils.hmacSha1Hex(key, value);
}
public String getBase64Parsed(String msg) {
return Base64.getEncoder().withoutPadding().encodeToString(msg.getBytes());
}
This code generates JWT:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzY3QuaW5mb2dydXBvc2kuY29tIiwiYWNsIjoiQWRtaW5pc3RyYWRvciIsImVtYWlsIjoiYnJ1bm9rY2hpbWJvQGhvdG1haWwuY29tIiwidXNlcm5hbWUiOiJicnVub2tjaGltYm8ifQ.MmIwOGIxYTliM2Q4NjZhYjc1YmY1N2M4NjJmNTM0YmUzOWQ5NDJkYw
The procedure I’m doing is:
- Access the site https://jwt.io/.
- Fill in the field "Verify Signature" with the key "hahaha-key test".
- Paste JWT into "Encoded".
When performing such procedure with the information pre-loaded on the site, by default, a message appears below stating that the key is valid, but when performing the procedure with the information generated by my java code, the signature is invalid.
What is the correct way to generate JWT?
I followed the steps of the video lesson of Vedovelli on youtube (https://www.youtube.com/watch?v=k3KfK0ZS_FY) and also not validated. I rewrote all the PHP code that it generated and the token is the same. I copied and pasted there in jwt.io informing the key, everything straight and nothing. I’m finding that the application does not serve as a basis to perform validation tests.
– Billly Jow
After some tests, if I change the password to 'my-password' (vi in https://imasters.com.br/back-end/understanding-o-jwt), the validation works.
– Billly Jow