Search code examples
c#.netjwt

JWT Invalid Signature in C# Code and JWT.io Website Verify Signature with these Steps

We encountered this in out dev team. Using C# logic, we can generate token correctly, but it returns "Invalid Signature". Also, when we try to validate it in JWT.io by clicking checkbox "secret base64 encoded" it was "Invalid Signature". But weird, when we untick the checkbox, it will be "Signature verified". I think the normal checking in JWT.io is unchecking the ""secret base64 encoded". We need help if any thoughts. Thanks a lot.

JWT token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiJhZG1pbklkIiwic3ViIjoidGVzdFVzZXIiLCJhdXRoX3RpbWUiOiIxNzI2NTY5OTQyODA2IiwidHlwIjoidGVzdElkIiwiaWF0IjoiMTcyNjU2OTk0MjgwOSIsImV4cCI6MTcyNjU3MDI0MiwiaXNzIjoidGVzdFVzZXIiLCJhdWQiOiJ0ZXN0VXNlciJ9.p1sSnzw75hBZwsF55zPhI4wbwnHhEFsPYQHhXX1Gqyo

Secret: ZFJD/pAFJbWU/mUhlXpD3A4IqkJ/VahWpRCwNs7Q19s=

enter image description here

enter image description here

enter image description here

enter image description here

Solution

  • The JWT was signed with the secret ZFJD/pAFJbWU/mUhlXpD3A4IqkJ/VahWpRCwNs7Q19s= that is not Base64 encoded.

    To be honest, this looks like a mistake when signing it, as this string looks like it is already Base64 encoded. If however, this is not a mistake, you can encode the secret again to Base64 and get WkZKRC9wQUZKYldVL21VaGxYcEQzQTRJcWtKL1ZhaFdwUkN3TnM3UTE5cz0=:

    enter image description here