io.jsonwebtoken.security.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.

[KhanamDEV]

Hello friends,
I hope you can help me

This is my code:

package com.tkg.MasterSystem.services.impl;

import com.tkg.MasterSystem.payload.requests.authentication.SendSignInCodeRequest;
import com.tkg.MasterSystem.repositories.UserRepositoryInterface;
import com.tkg.MasterSystem.services.AuthenticationServiceInterface;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.security.Keys;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.env.Environment;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Service;

import javax.crypto.SecretKey;
import java.security.Key;
import java.util.Date;
import java.util.Objects;


@Service
public class AuthenticationService implements AuthenticationServiceInterface {

    @Autowired
    Environment environment;

    private final UserRepositoryInterface userRepository;

    public Key getSecretKey(){
        byte[] keyBytes = Decoders.BASE64.decode(environment.getProperty("JWT_SECRET_KET"));
        return Keys.hmacShaKeyFor(keyBytes);
    }

    @Autowired
    public AuthenticationService(UserRepositoryInterface userRepositoryInterface) {
        this.userRepository = userRepositoryInterface;
    }

    @Override
    public boolean sendSignUpCode(SendSignInCodeRequest sendSignInCodeRequest) {
        return userRepository.existsByEmail(sendSignInCodeRequest.getEmail());
    }

    @Override
    public Claims extractAllClaims(String token) {
        return Jwts
                .parserBuilder()
                .setSigningKey(getSecretKey())
                .build()
                .parseClaimsJws(token)
                .getBody();
    }

    @Override
    public String generateToken( UserDetails userDetails) {
        return Jwts
                .builder()
                .setSubject(userDetails.getUsername())
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 24 * 90))
                .signWith(getSecretKey(),SignatureAlgorithm.HS256)
                .compact();
    }

    @Override
    public boolean isTokenValid(String token, UserDetails userDetails) {
        Claims claims = extractAllClaims(token);
        final String username = claims.getSubject();
        Date tokenExpiration = claims.getExpiration();
        return username.equals(userDetails.getUsername()) && tokenExpiration.before(new Date());
    }
}

When I running my application and send any request, i get an error io.jsonwebtoken.security.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted. with detail error in function extractAllClaims when i parseClaimsJws.
I'm not sure where I went wrong, can someone explain it to me, thanks

[lhazlewood]

Are you using the latest stable release using 0.11.5?

[KhanamDEV]

@lhazlewood yes, i using version 0.11.5
This is my dependency <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt-api</artifactId> <version>0.11.5</version> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt-impl</artifactId> <version>0.11.5</version> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt-jackson</artifactId> <version>0.11.5</version> </dependency>

[lhazlewood]

Do you have a simple public static void main test class that reproduces this behavior? I don't have the time to start up a Spring application just to test this.

FWIW, in your isTokenValid method implementation, this is not necessary:

Date tokenExpiration = claims.getExpiration();
return username.equals(userDetails.getUsername()) && tokenExpiration.before(new Date());

If the token is expired, an ExpiredJwtException will be thrown in the extractAllClaims method, so the claims.getExpiration().before(newDate()) is superfluous.

[KhanamDEV]

@lhazlewood thank you for contribution

[lhazlewood]

Without a public static void main test class that I can run, and at first glance, this kind of exception would be thrown if your getSecretKey() value does not match the same key that was used to sign the token.

[KhanamDEV]

@lhazlewood this is my JWT_SECRET_KEY : 671491AE98362741F722202EED3288E8FF2508B35315ADBF75EEB3195A926B40
I use the getSecretKey() method at generateToken and extractAllClaims , why can they be not match?

[KhanamDEV]

@lhazlewood https://github.com/KhanamDEV/base-spring-boot this is my project.
I spent all day finding the cause of this error. You can take a look at it. Help me please ☹️

[lhazlewood]

The following test class works without any problems, errors or exceptions no matter how many times I run it, using your JWT_SECRET_KEY value you pasted above (which is now publicly exposed to the world, I hope that was just a test key! 😅 ).

Because of this, I suspect your problem is related to your application or environment, mostly likely that the JWT_SECRET_KEY has been changed. In other words (for example):

1. Your application (version A) generates a token using JWT_SECRET_KEY and sends it to a client (e.g. web browser).
2. You redeploy your application (now version B), and it is started up with a different JWT_SECET_KEY environment value different from the first one.
3. If the browser sends the application-A token to application-B, the key that generated the token (application-A) will be different than the key used to verify the token (application-B), and signature verification will fail.

This is just a guess, because I'm unable to reproduce any errors. See below:

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.security.Keys;

import java.security.Key;
import java.util.Date;

public class JjwtDiscussion821 {

    private static final String SECRET_KEY_BASE64 = "671491AE98362741F722202EED3288E8FF2508B35315ADBF75EEB3195A926B40";

    public Key getSecretKey() {
        byte[] keyBytes = Decoders.BASE64.decode(SECRET_KEY_BASE64);
        return Keys.hmacShaKeyFor(keyBytes);
    }

    public Claims extractAllClaims(String token) {
        return Jwts
                .parserBuilder()
                .setSigningKey(getSecretKey())
                .build()
                .parseClaimsJws(token)
                .getBody();
    }

    public String generateToken(String username) {
        return Jwts
                .builder()
                .setSubject(username)
                .setIssuedAt(new Date(System.currentTimeMillis()))
                .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 24 * 90))
                .signWith(getSecretKey(), SignatureAlgorithm.HS256)
                .compact();
    }

    public boolean isTokenValid(String token, String username) {
        Claims claims = extractAllClaims(token);
        final String subject = claims.getSubject();
        return username.equals(subject);
    }

    public static void main(String[] args) {
        JjwtDiscussion821 test = new JjwtDiscussion821();
        String username = "testUser";
        for(int i = 0; i < 500; i++) {
            String jws = test.generateToken(username);
            assert test.isTokenValid(jws, username);
        }
    }
}

[KhanamDEV]

@lhazlewood Thank you for your time, I have just started creating the project and have not used or deployed it yet.
Like the repository I sent you in the above thread, I'm really tired of this problem today. I simply run it at localhost

[KhanamDEV]

@lhazlewood I haven't even created a route related to JWT yet. Simply start the program and access a demo route,

[KhanamDEV]

@lhazlewood sorry, I found the reason, because my postman already had an authorization token. Thank you for your time lol.