Cannot decode JWT token: Signature verification failed

[ChristianF88]

Hi,

I am using a dockerized version of ckan 2.9.9 with ckanext-envvars.

When posting to the API, with a freshly generated token for a sysadmin user I get this error:

2024-01-25 13:08:14,776 ERROR [ckan.lib.api_token] Cannot decode JWT token: Signature verification failed

I have tried posting via curl, but also tried ckanapi - same issue. I also tried different ways of generating the token (via website, via cli), it did not make a difference.

The JWT encode and decode secrets are set via string:.

I can run package_search but for example package_show fails and other things like package_create fails too.

Any suggestions?

[ChristianF88]

I have added an API key for testing, everything works with an API key.

[blagojabozinovski]

@ChristianF88 Is the value for the api_token in the production.ini file the same for both encode and decode secret when You create and test the api token?
For example
api_token.jwt.encode.secret = string:ABC123456543
api_token.jwt.decode.secret = string:ABC123456543

[ChristianF88]

Hi @blagojabozinovski,

The strings for encoding and decoding are different:

CKAN___API_TOKEN__JWT__ENCODE__SECRET=string:712408sdghdavjcro3zg43o543
CKAN___API_TOKEN__JWT__DECODE__SECRET=string:ynccxbasdgeiuwqz538426432safh

They're defined via ckanext-envs.

[blagojabozinovski]

@ChristianF88 then I think that is the issue. The value for encode secret when the token was created should be the same used when You decode (and use) that token.

[ChristianF88]

@blagojabozinovski thanks for responding so quickly. I will test this later and share my findings here. However if both secrets should be the same, why do two strings have to be defined? I have not looked into the JWT algortihm but that seems a bit weird to me.

[ChristianF88]

I tested with encode and decode strings being the same and it does work perfectly, thanks @blagojabozinovski. I assume there are two fields available because of the other cryptographic algorithms available for token handling. In my opinion it would be helpful to improve the error message, or even run some kind of validation, if the settings make sense for the selected cryptographic algorithm.