JWT verification

Hello,
I am trying to verify the JWToken from Okta using Okta public key and I have errors:

  • I request jwt from https://dev-613083.okta.com/oauth2/default/v1/token (dev-613083 my okta ID) with good headers/credentials

  • I receive my jwt:
    “access_token”: “eyJraWQiOiIzb0RnbUhFbXNTbEhvS3FkbjFaUnNsR0ZBYmZyWjgzcjZPOHFXbWFWMEpnIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnAyc2RRdDdFTzl6WjVqUHNOdXp1OExSZEQ5TFotTlNuajdfM0xiejhYamciLCJpc3MiOiJodHRwczovL2Rldi02MTMwODMub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNTc3Nzk2MDg0LCJleHAiOjE1Nzc3OTY2ODQsImNpZCI6IjBvYTI5emU1dXRTWlN1RDNUMzU3Iiwic2NwIjpbInlodGVzdCJdLCJzdWIiOiIwb2EyOXplNXV0U1pTdUQzVDM1NyJ9.K3rn0IEY0KFXplbOL_zO227QNx63IWWA67wWT5bxOhHE1Jq3_iGPKifw1kneFPCb5ZlZB7SfR5p7-aTAxi6NyjMjPu203swU3PG1kvfUZxwxn3TJG5J6XumlEaEVnT9DrHwowHGr34pJhktntJSQnt9H-ZWe3MnjQix41_sDVwVWYSANLYzCrkLN4czW6N7RcQZNt1IyDGZK1NAUhaS7u9S4FPhS5x4fXg9r86DznySKTjEHuqQlJll5XufgsdWUCK4cYKGuYnePwEbFC38yVZH9iWrTrGqWKbj6PEI0iYE9SxkwERC726Rfbk9_7xfx-AFMa09PYtY1mvyItYasPQ”

  • I retrieve public key from https://dev-613083.okta.com/oauth2/default/v1/keys

  • I receive the okta public key:
    {
    “kty”: “RSA”,
    “alg”: “RS256”,
    “kid”: “3oDgmHEmsSlHoKqdn1ZRslGFAbfrZ83r6O8qWmaV0Jg”,
    “use”: “sig”,
    “e”: “AQAB”,
    “n”: “ldbRkBzVMiUbWEHYNpnHEuR0xx6mU_UDWcAcaqkN-69eJRXF_kojJhZgaj6XW_VdbX4P9adahohRF1N6VfqTgEjiUMacNAcKbaC4UNswUvezyH-L1AWSw2qijU0_MAOVbpKym3c0Phur7v26Jjo-nOmh6U19bFImaoEkK2KTy4sG4jDHlH0DGPTBGd_DIZL6edwu_P1D0NhRZpCvHppKIEhJayUPvkz2yZcVPaNwewzXgw91jCe9G95AiTkFivqx1XPfSU1szsXZ4ZILgqcb_Yjv6r16Bmu6_sktXxAvuQQgATJ5TOVLTcsl6pWGC01hZ5jPr8BAnj-3U6yaJpnQoQ”
    }

I suppose “n” must be the public key

“kid” of public key correspond to “kid” in jwt

When I try to verify jwt using public key on the services like https://jwt.io/ I have “Invalid Signature” error.

When I use https://dev-613083.okta.com/oauth2/default/v1/introspect to verify jwt response is OK (“active”: true)

When I try to verify jwt using openssl_verify() function of PHP, I have “supplied key param cannot be coerced into a public key” error, and I have tried all combinations of key string provided to function (add -----BEGIN PUBLIC KEY-----, b64 endode/decode, etc.)

I will try late the same in Java, but I am perplex…

What I do wrong?

find “e” and “n” are Exponent and Modulus and not the key

hi there,

if you are coding in java it might be easier to use the github example maintained by the excellent developer @bdemers

Otherwise I believe this blog post may help for checking them in php:

Hi @yves

The public key that needs to be used for JWT verification is

-----BEGIN PUBLIC KEY-----
MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQCV1tGQHNUyJRtYQdg2mccS
5HTHHqZT9QNZwBxqqQ37r14lFcX+SiMmFmBqPpdb9V1tfg/1p1qGiFEXU3pV+pOA
SOJQxpw0BwptoLhQ2zBS97PIf4vUBZLDaqKNTT8wA5VukrKbdzQ+G6vu/bomOj6c
6aHpTX1sUiZqgSQrYpPLiwbiMMeUfQMY9MEZ38Mhkvp53C78/UPQ2FFmkK8emkog
SElrJQ++TPbJlxU9o3B7DNeDD3WMJ70b3kCJOQWK+rHVc99JTWzOxdnhkguCpxv9
iO/qvXoGa7r+yS1fEC+5BCABMnlM5UtNyyXqlYYLTWFnmM+vwECeP7dTrJommdCh
AgMBAAE=
-----END PUBLIC KEY-----

If you are looking for a solution in PHP to generate the public key based on modulus and exponent, please check this package.

Thanks for all responses, it seems to be some problem of PHP version we use (openssl implementation may be, public key which work on jwt.io does not work in my code),
in Java it work for me without problem,
now I pass to node.js and after 10 min of search and 2 lines of code it works, so I will change a little the flow of app and use node.js
one more time thanks for all

Please, can you tell me how you know that from this
{
“kty”: “RSA”,
“alg”: “RS256”,
“kid”: “3oDgmHEmsSlHoKqdn1ZRslGFAbfrZ83r6O8qWmaV0Jg”,
“use”: “sig”,
“e”: “AQAB”,
“n”: “ldbRkBzVMiUbWEHYNpnHEuR0xx6mU_UDWcAcaqkN-69eJRXF_kojJhZgaj6XW_VdbX4P9adahohRF1N6VfqTgEjiUMacNAcKbaC4UNswUvezyH-L1AWSw2qijU0_MAOVbpKym3c0Phur7v26Jjo-nOmh6U19bFImaoEkK2KTy4sG4jDHlH0DGPTBGd_DIZL6edwu_P1D0NhRZpCvHppKIEhJayUPvkz2yZcVPaNwewzXgw91jCe9G95AiTkFivqx1XPfSU1szsXZ4ZILgqcb_Yjv6r16Bmu6_sktXxAvuQQgATJ5TOVLTcsl6pWGC01hZ5jPr8BAnj-3U6yaJpnQoQ”
}

the key is what you wrote? I’m trying to recalculate the key without success :frowning:

Hi @thefedex87

I am using a simple script available here which calculates the public key from the modulus and exponent.

1 Like

Thanh you. I forgot to write that finally I have found a python script which calculate the key :slight_smile: thank you