JWT Web Signature Invalid

Issue #100 invalid
Vaishnavi Manjunath created an issue

Hi, I am generating JWT token when user logs in and adding email and password as claims :

             rsaJsonWebKey =  RsaJwkGenerator.generateJwk(2048);
             rsaJsonWebKey.setKeyId(userId);
            JwtClaims claims = new JwtClaims();
    claims.setExpirationTimeMinutesInTheFuture(1440); 
    claims.setGeneratedJwtId(); 
    claims.setIssuedAtToNow(); 
    claims.setClaim("email",email); 
    claims.setClaim("password", password);      
            claims.setSubject("user");


    JsonWebSignature jws = new JsonWebSignature();
    jws.setPayload(claims.toJson());
    jws.setKey(rsaJsonWebKey.getPrivateKey());
    jws.setKeyIdHeaderValue(rsaJsonWebKey.getKeyId());
    jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
    jwt = jws.getCompactSerialization();

On generation of this token I store rsaJsonWebKey in JSON format in db against unique identifier for user. This token is sent back to the user which is sent along every request that comes in from user.

On every request, I query for all db records with this user unique ID like :

          for(JWTConfig publicKey : config)  //for each record for user
        {
        PublicJsonWebKey jsonWebKey = PublicJsonWebKey.Factory.newPublicJwk(publicKey.getWebkey());
             RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey((RSAPublicKey) jsonWebKey.getPublicKey());
             rsaJsonWebKey.setKeyId(userId);   //ths is unique user Id 
             jsonWebKeys.add(rsaJsonWebKey);
        }



        JwksVerificationKeyResolver jwksVerificationKeyResolver = new JwksVerificationKeyResolver(jsonWebKeys);



            JwtConsumer jwtConsumer = new JwtConsumerBuilder()
                .setRequireExpirationTime()
                .setRequireSubject()
                .setVerificationKeyResolver(jwksVerificationKeyResolver)
                .build();

            jwtClaims = jwtConsumer.processToClaims(token);

This works for now. As you can login from multiple devices , I have many records in db for same user. Now if user changes password and logs in, token claims would have new password, But when I try to resolve , I get Invalid JWT Exception, which says that web signature is invalid and lets say there were 2 db records with old password and 1 with new one , new one that got created at login isn't getting validated.

I really need to fix this issue asap.

Note : I tried to delete tokens with old pwd from db, and then tried to validate it worked. I don't know if its issue with key resolver. Please do the needful.

Thanks.

Comments (11)

  1. Brian Campbell repo owner

    The JwksVerificationKeyResolver uses the key ID ("kid") as one of the main criteria when trying to select the appropriate key. So when you use the userId as the kid like that, it'll find more than one key that it could use and just go with the first. Which is why you're getting an invalid signature. So changing the kid handling should address this issue.

    Generally speaking, however, you shouldn't need a different key per user. And password should probably never be a claim in the token (an RSA signed JWT is not encrypted).

  2. Vaishnavi Manjunath reporter

    Hi Brain, Thanks for your response. In my case password is encrypted, so that should do right?

  3. Vaishnavi Manjunath reporter

    I don't think its issue with key resolver finding the first entry with mentioned key. Because all this while I had a case where a single user logged in from multiple devices, and each time I had DB entry with same userId as key and associated json webkey. I faced no issue of invalid signature.

    So best way is to have key unique even among same User right? to achieve the scenario where he is logged in from multiple devices.

  4. Brian Campbell repo owner

    It looks like you had more than one key for the same user (after a password change) and set the same key id for each of them.

  5. Brian Campbell repo owner

    But if you have different keys that could be used in some context and need to chose between them, the key id needs to be unique in that set of keys.

  6. Vaishnavi Manjunath reporter

    I had another query. So can you explain what exactly does key resolver do? Will it not just match keyId with jsonwebkey to see that token isn't tampered. What is it to do with claims at all? I just need clarification because I am not sure.

  7. Brian Campbell repo owner
  8. Log in to comment