This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

[VerifyJWT] Invalid JWS header: Invalid JSON: Unexpected token..

Posted on 05-15-2020 09:19 AM
dananpsn46
New Member
Reply posted on --/--/---- --:-- AM

Hi guys,

I have an issue as I wrote in the title regarding the VerifyJWT policy.

I'm trying to validate the external JWT provided by keycloak but I'm receiving this message error:

Invalid JWS header: Invalid JSON: Unexpected token �z��&�r#�%%3#Sb"�'G�"�$�uB"�&��B"�%�C�wu7����ƦDD$��5CEw��tW��Ĥ�FuV6EFr' at position 84.


I'm using the follow policy (extracted):

<DisplayName>Keycloak-Verify-JWT</DisplayName>

<Algorithm>RS256</Algorithm>

<Source>request.header.authorization</Source>

<PublicKey> <Value ref="public.jwt"/> </PublicKey> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>


public.jwt = public key provided by keycloak v10.0.0

I also tried the validation step in jwt.io and it's ok.

EDIT1: The DecodeJWT policy also fail for the same reason, I've checked the token format and it seems correct

header.payload.signature

Solved Solved
0 3 5,815
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dananpsn46
New Member
Reply posted on --/--/---- --:-- AM

Hey I found the solution and I want to share here in case of someone has the same problem.

The issue I experienced was triggered by the presence of the word "Bearer" inside the Authorization header.

I added an ExtractVariables policy with this piece of code

<ExtractVariables name="Extract-Variables-1"> 
  <DisplayName>Extract Variables-1</DisplayName> 
  <Properties/> 
  <Header name="Authorization"> 
    <Pattern ignoreCase="false">Bearer {private.jwt}</Pattern> 
  </Header> 
  <Source clearPayload="false">request</Source> 
</ExtractVariables>

With that policy you can extract the JWT from the header and pass it through the next step (validation or decode)

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
dananpsn46
New Member
Reply posted on --/--/---- --:-- AM

Hey I found the solution and I want to share here in case of someone has the same problem.

The issue I experienced was triggered by the presence of the word "Bearer" inside the Authorization header.

I added an ExtractVariables policy with this piece of code

<ExtractVariables name="Extract-Variables-1"> 
  <DisplayName>Extract Variables-1</DisplayName> 
  <Properties/> 
  <Header name="Authorization"> 
    <Pattern ignoreCase="false">Bearer {private.jwt}</Pattern> 
  </Header> 
  <Source clearPayload="false">request</Source> 
</ExtractVariables>

With that policy you can extract the JWT from the header and pass it through the next step (validation or decode)
Jump to Solution

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to dananpsn46
Reply posted on --/--/---- --:-- AM

Thanks for the answer.

Another way to avoid the problem is to eliminate the Source element completely.

If there is no Source element, then the VerifyJWT policy extracts the JWT from the Authorization header (stripping the Bearer prefix) for you.

I'm sorry if this was not clear from the documentation.

Jump to Solution

Posted on --/--/---- --:-- AM
dananpsn46
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for explaination, now it's clear.

Jump to Solution
0 Likes