This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Is the JWT signature properly encoded?

Posted on 09-12-2018 07:07 AM
hari_vr
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I have been using the JWT for a while now and have always had this nagging doubt that JWT generated from Apigee does not have the signature base64encoded.

As per the IETF standards, the pseudocode for generating a JWT is: 

      BASE64URL(UTF8(JWS Protected Header)) || '.' ||
      BASE64URL(JWS Payload) || '.' ||
      BASE64URL(JWS Signature)

Basically, all three parts of the JWT have to be concatenated after they are individually base64encoded.

However, when I generate a JWT within Apigee and then use an online editor to examine it (say jwt.io), I notice that the signature is not encoded. Why is this? Is there some option within the policy that can generate a JWT with a signed signature? If there is, shouldn't this be the case by default?

Solved Solved
1 8 9,583
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I understand the observations you are making. Here's my perspective.

The message that says "No printable characters found," is expected.

The signature is an array of bytes. Encoding it as base64, allows it to be printable. Decoding it results in... the original byte array. That byte array is not printable, it does not represent ASCII or UTF-8 etc. It's just a byte array. And for that reason, the message you see is expected.

Regarding your conclusion "the signature is not base64 encoded"; that is not valid. When you base64-decode the signature value, you actually got a decoded value! It wasn't printable. But that doesn't mean the original wasn't encoded. If, when you try to decode the original signature string, you get a message saying "that's not a base64-encoded string", THEN you could conclude that the signature is not base64-encoded.

In summary:

  • what you are observing is all expected
  • Base64-decoding the signature will never result in a printable string
  • The signed JWT generated by Apigee Edge are valid and correct

View solution in original post

Jump to Solution
8 REPLIES 8

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

What do you mean by “notice that the signature is not encoded”? Give specifics please?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
hari_vr
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

I just created a JWT from Apigee :

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0IiwiaWF0IjoxNTM2NzYyMjQyLCJqdGkiOiJ0ZXN0In0.LXG9Cp_lg6dE14rGq8Ny1mF4XuaRjBi0Ahky7CBKR8A

This is a JWT signed using HS256 with the secret 'test'

If you paste each part of the JWT in a base64 decoder (say at base64decode.org), here is what happens:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 - {"typ":"JWT","alg":"HS256"}
eyJzdWIiOiJ0ZXN0IiwiaWF0IjoxNTM2NzYyMjQyLCJqdGkiOiJ0ZXN0In0 - {"sub":"test","iat":1536762242,"jti":"test"}
LXG9Cp_lg6dE14rGq8Ny1mF4XuaRjBi0Ahky7CBKR8A - No printable characters found, try another source charset, or upload your data as a file for binary decoding.

The signature of the JWT generated from Apigee is not base64 encoded.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to hari_vr
Reply posted on --/--/---- --:-- AM

That is expected behavior. (See my complete answer below)

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I understand the observations you are making. Here's my perspective.

The message that says "No printable characters found," is expected.

The signature is an array of bytes. Encoding it as base64, allows it to be printable. Decoding it results in... the original byte array. That byte array is not printable, it does not represent ASCII or UTF-8 etc. It's just a byte array. And for that reason, the message you see is expected.

Regarding your conclusion "the signature is not base64 encoded"; that is not valid. When you base64-decode the signature value, you actually got a decoded value! It wasn't printable. But that doesn't mean the original wasn't encoded. If, when you try to decode the original signature string, you get a message saying "that's not a base64-encoded string", THEN you could conclude that the signature is not base64-encoded.

In summary:

  • what you are observing is all expected
  • Base64-decoding the signature will never result in a printable string
  • The signed JWT generated by Apigee Edge are valid and correct
Jump to Solution

Posted on --/--/---- --:-- AM
hari_vr
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for the clarification, Dino!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to hari_vr
Reply posted on --/--/---- --:-- AM

Sure thing, I'm glad it helped!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
rocku103
New Member
Reply posted on --/--/---- --:-- AM

I am trying to pass jwt generates in apigee to the actual api and authenticate the api call.But I too have similar issue, I see the jwt token generated by apigee is shown as invalid signature in jwt.io and also on passing token to my API developed in asp.net core 2.2 with jwtautherisation gives the same invalid signature error.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to rocku103
Reply posted on --/--/---- --:-- AM

Ask a new question, please. (don't append new questions in comments to 6-month old questions).

Jump to Solution
0 Likes