I'm attempting to take a token from my web application's api and parse out the user id from it in android studio. I'm using jjwt to decode the token, but am running into this issue. I was reading online and the solutions said to make sure my 'secret-key' was in base 64, but it's still causing issues.
I tried using the encoder, and an online encoder and hardcoding the base-64 String of my 'secret', but still returns the same issues. A link to people having similar issues is found here github.com/auth0/node-jsonwebtoken/issues/208
final TextView tv = (TextView) findViewById(R.id.tvText);
final String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjVjOWYzYWI2NzY2Mjg2NDYyNDY0YTczNCIsIm5hbWUiOiJSYW5keSIsImF2YXRhciI6Ii8vd3d3LmdyYXZhdGFyLmNvbS9hdmF0YXIvMTNhN2MyYzdkOGVkNTNkMDc2MzRkOGNlZWVkZjM0NTE_cz0yMDAmcj1wZyZkPW1tIiwiaWF0IjoxNTU0NTIxNjk1LCJleHAiOjE1NTQ1MjUyOTV9._SxRurShXS-SI3SE11z6nme9EoaD29T_DBFr8Qwngkg";
final String secret = "secret";
String secret64 = "c2VjcmV0";
String encoded = Base64.encodeToString(secret.getBytes(), Base64.DEFAULT);
Jws<Claims> jws;
try {
jws = Jwts.parser() // (1)
.setSigningKey(secret64) // (2)
.parseClaimsJws(token); // (3)
// we can safely trust the JWT
}
catch (JwtException ex) { // (4)
// we *cannot* use the JWT as intended by its creator
tv.setText(ex.toString());
}
The verification key's size is 48 bits
This statement tells the whole story . The secret key you've used is too short . If you are using HS256 which is HMAC with SHA-256 needs at least 256 bits or larger MUST be used with the HS256 algorithm .
As mentioned in JSON Web Algorithms
the JSON Web Algorithms RFC 7518 states that a key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with the HS256 algorithm.
So change your key size and you are good to go