Verification works on jwt.io but not with jose #554
-
|
I'm very sorry for the stupid question. I'm sure I'm making a silly mistake, but I can't figure out what it is. I have this token: const session =
"eyJhbGciOiJSUzI1NiIsImtpZCI6Imluc18yTWpabTA2c3VtOWdteEx4djZCT2xPS1NpWDIiLCJ0eXAiOiJKV1QifQ.eyJhenAiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAiLCJleHAiOjE2ODk4ODA0NzcsImlhdCI6MTY4OTg4MDQxNywiaXNzIjoiaHR0cHM6Ly9hbWF6aW5nLWJlYXItNTkuY2xlcmsuYWNjb3VudHMuZGV2IiwibmJmIjoxNjg5ODgwNDA3LCJzaWQiOiJzZXNzXzJTcVlkdzJtUjJKejU0WW5ORUlGZWNsRkIxbSIsInN1YiI6InVzZXJfMk1rTll4NW5EVGlHam8xMmxZem94cVdpRWRHIn0.p4woAHki6spg5bJPN088E6_x2vF2CvwmcDJMNQ4ShFcSo2OALHzeOyuPBPG2Zq-sFTBApwzdyTVa8O3lVgtYiNmDzVDtTFgzAraNiie5YTJYtE5amssq5dCQqukvsqIOdwUc23DLJD6jI4o-ALTEdXvQ4y5Fk5yaIFbmuQMsSWU_8cO2NG8v7rlEje5dBRC-W5oFVbG8x546o-2B8nel2D9Rjju_OOeQhyBllctQT4Vgu3lhGtUektv0eXg86MPw6GJYCa03ThWwEh0KaIGOK87beovJaRoKDDx4QENXUEfIFLXa_RE4MTwNKq_kN0NyLbk9NXjOLO9eAwoc_cJxpQ";
try {
const alg = "RS256";
const spki = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuq/1r55NjIF4GOiIiTb1
7qhiTBG4k3vXAqUkqHJyofVcLtGf5UkvOTMGuPN0FCj9x93e+m3SEi7B6ryULZuf
Yhej4bV0XsfoqNbmNZx7FnvNvazkwd9dGlE+4PnBnFPrQ9slIVuEc+I39NAVnmBK
5mluW55ZQwlB7b25TBEv6XsKt0EUSJNcfvqnXhLc5gQ17vzPM31jkP/lh6wh7PfF
vXTH+P8nG+KEKRnhQVz1RhMc6SLJ40rkOttaFDY5M0hUCy9TTkIzEuufaaI8wTSz
gRogm8tyNQ90dA0bF+fpY35ZVQhycp0wgf8Rj1WosTEORlDta8Jwbn4qQ8f/uVnG
AQIDAQAB
-----END PUBLIC KEY-----`;
const publicKey = await jose.importSPKI(spki, alg);
const { payload, protectedHeader } = await jose.jwtVerify(
session,
publicKey,
);
console.log(payload);
} catch (err) {
console.log(err);
}I have this code I'm trying to use to validate a token. When I copy and paste those values into jwt.io it works fine and is validated. When I run it in my program, I get a Any ideas what I'm doing wrong? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
jwt.io downloads the public key based on a discovered issuer keys.
The public key does not correspond to the private key used for signing the token. When you paste the token and then the public key in PEM format you posted above, in that order, jwt.io will not be able to validate the token either. The corresponding public key is in PEM, or as JWK. |
Beta Was this translation helpful? Give feedback.
-
|
I'm really sorry for my ignorance. I'm still confused what I need to change to verify the token. Am I using the wrong key? I'm trying to follow this guide: https://clerk.com/docs/request-authentication/validate-session-tokens |
Beta Was this translation helpful? Give feedback.
-
Yes. |
Beta Was this translation helpful? Give feedback.
jwt.io downloads the public key based on a discovered issuer keys.
The public key does not correspond to the private key used for signing the token.
When you paste the token and then the public key in PEM format you posted above, in that order, jwt.io will not be able to validate the token either.
The corresponding public key is