Cannot decode JWT token: Signature verification failed #8039
Replies: 6 comments
-
I have added an API key for testing, everything works with an API key. |
Beta Was this translation helpful? Give feedback.
-
@ChristianF88 Is the value for the api_token in the production.ini file the same for both encode and decode secret when You create and test the api token? |
Beta Was this translation helpful? Give feedback.
-
The strings for encoding and decoding are different: CKAN___API_TOKEN__JWT__ENCODE__SECRET=string:712408sdghdavjcro3zg43o543
CKAN___API_TOKEN__JWT__DECODE__SECRET=string:ynccxbasdgeiuwqz538426432safh They're defined via ckanext-envs. |
Beta Was this translation helpful? Give feedback.
-
@ChristianF88 then I think that is the issue. The value for encode secret when the token was created should be the same used when You decode (and use) that token. |
Beta Was this translation helpful? Give feedback.
-
@blagojabozinovski thanks for responding so quickly. I will test this later and share my findings here. However if both secrets should be the same, why do two strings have to be defined? I have not looked into the JWT algortihm but that seems a bit weird to me. |
Beta Was this translation helpful? Give feedback.
-
I tested with encode and decode strings being the same and it does work perfectly, thanks @blagojabozinovski. I assume there are two fields available because of the other cryptographic algorithms available for token handling. In my opinion it would be helpful to improve the error message, or even run some kind of validation, if the settings make sense for the selected cryptographic algorithm. |
Beta Was this translation helpful? Give feedback.
-
Hi,
I am using a dockerized version of
ckan 2.9.9
withckanext-envvars
.When posting to the API, with a freshly generated token for a
sysadmin
user I get this error:I have tried posting via
curl
, but also triedckanapi
- same issue. I also tried different ways of generating the token (via website, via cli), it did not make a difference.The JWT encode and decode secrets are set via
string:
.I can run
package_search
but for examplepackage_show
fails and other things likepackage_create
fails too.Any suggestions?
Beta Was this translation helpful? Give feedback.
All reactions