I think you are seeing the discrepancy due to base64 vs. base64url decoding. I think the jwt spec. wants base64 url vs. plain base64.
https://en.wikipedia.org/wiki/Base64#URL_applications On Friday, December 14, 2018 at 9:37:45 AM UTC-6, Devendra Sisodia wrote: > > While decoding JWT there is error "Bad Base64 input character decimal 37 > in array position 806" Which means 37(%) is not allowed in encoded base 64 > string in JWT. > > My JWT looks like below and yellow highlighted is the 806th element that > cannot be base 64 decode. > > eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpdmVyYXNlI<string>NTg3In0%3D. > UmNz8ikEOFYqPgHRmZb1SK6A1pRFu48fSfYTasMGYHKtg7V8JepAfwunXwFeHsx5JTi4yKBug1Tq9PqfdY93lA > > On Fri, Dec 14, 2018 at 2:11 PM Giuseppe Infurna <giusepp...@gmail.com > <javascript:>> wrote: > >> >> i'm using io.jsonwebtoken.jjwt library >> >> Jwts.parser().setSigningKey(<yourSecretKey>).parseClaimsJws(<yourJwt>); >> >> >> >> Il giorno venerdì 14 dicembre 2018 14:02:14 UTC+1, Devendra Sisodia ha >> scritto: >>> >>> Hello, >>> >>> Big Thanks for sharing configuration and as a result JWT is not >>> encrypted and only signed. >>> >>> But now I face strange issue. when I try to verify signature it fails. I >>> am using AES and single key to sign and JWT is generated. But the generate >>> JWT fails signature verification. >>> >>> JWT generated as below: >>> 2018-12-14 12:33:00,684 DEBUG >>> [org.apereo.cas.token.JWTTokenTicketBuilder] - <Locating service [ >>> http://localhost:8888/api] in service registry> >>> 2018-12-14 12:33:00,685 DEBUG >>> [org.apereo.cas.token.JWTTokenTicketBuilder] - <Locating service specific >>> signing and encryption keys for [http://localhost:8888/api] in service >>> registry> >>> 2018-12-14 12:33:00,690 WARN >>> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Encryption is not >>> enabled for [Token/JWT Tickets]. The cipher >>> [RegisteredServiceTokenTicketCipherExecutor] will only attempt to produce >>> signed objects> >>> 2018-12-14 12:33:00,690 WARN >>> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Signing is not >>> enabled for [Token/JWT Tickets]. The cipher >>> [RegisteredServiceTokenTicketCipherExecutor] will attempt to produce plain >>> objects> >>> 2018-12-14 12:33:00,690 DEBUG >>> [org.apereo.cas.token.JWTTokenTicketBuilder] - <Encoding JWT based on >>> default global keys for [http://localhost:8888/api]> >>> 2018-12-14 12:33:00,734 DEBUG >>> [org.apereo.cas.authentication.principal.DefaultResponse] - <Sanitized URL >>> for redirect response is [http://localhost:8888/api]> >>> 2018-12-14 12:33:00,736 DEBUG >>> [org.apereo.cas.authentication.principal.DefaultResponse] - <Final redirect >>> response is [ >>> http://localhost:8888/api?redirect=true&ticket=eyJhbGciOiJSUzUxMiJ9 >>> >>> Verfication code used is: >>> final Key key = new AesKey(jwtSigning.getBytes(StandardCharsets.UTF_8)); >>> >>> final JsonWebSignature jws = new JsonWebSignature(); >>> jws.setCompactSerialization(secureJwt); >>> jws.setKey(key); >>> if (!jws.verifySignature()) { >>> throw new Exception("JWT verification failed"); >>> } >>> >>> On Thu, Dec 13, 2018 at 3:40 PM Giuseppe Infurna <giusepp...@gmail.com> >>> wrote: >>> >>>> >>>> yes >>>> >>>> >>>> ###Token/JWT Tickets ENCRIPTION >>>> cas.authn.token.crypto.enabled=true >>>> >>>> cas.authn.token.crypto.signing-enabled=true >>>> cas.authn.token.crypto.signing.key= >>>> Dkkpi7iUKqidOXXmeAbr4RyHirYmgQgqqUrIo6q_JPNks2iqX2l95jVVoZQDWLNiFnhQF43agCtdMxRnIXOO9g >>>> >>>> cas.authn.token.crypto.encryption-enabled=false >>>> cas.authn.token.crypto.encryption.key= >>>> >>>> and >>>> >>>> { >>>> "@class" : "org.apereo.cas.services.RegexRegisteredService", >>>> "serviceId" : "^(http|https)://?localhost(:8081|:9060|:9000)?/.*", >>>> "name" : "myApplication", >>>> "theme" : "myApplication", >>>> "id" : 10000003, >>>> "description" : "My Application", >>>> "evaluationOrder" : 1, >>>> "usernameAttributeProvider" : { >>>> "@class" : >>>> "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" >>>> }, >>>> "attributeReleasePolicy" : { >>>> "@class" : >>>> "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" >>>> }, >>>> "accessStrategy" : { >>>> "@class" : >>>> "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", >>>> "enabled" : true, >>>> "ssoEnabled" : true >>>> }, >>>> "proxyPolicy" : { >>>> "@class" : >>>> "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy", >>>> "pattern" : "^(http|https)?://.*" >>>> }, >>>> "properties" : { >>>> "@class" : "java.util.HashMap", >>>> "jwtAsServiceTicket" : { >>>> "@class" : >>>> "org.apereo.cas.services.DefaultRegisteredServiceProperty", >>>> "values" : [ "java.util.HashSet", [ "true" ] ] >>>> } >>>> } >>>> } >>>> >>>> >>>> >>>> Il giorno giovedì 13 dicembre 2018 14:55:49 UTC+1, Devendra Sisodia ha >>>> scritto: >>>>> >>>>> Sorry, but this does not work. >>>>> How's your service(one with definition of 'jwtAsServiceTicket', etc) >>>>> looks like ? >>>>> >>>>> >>>>> On Thu, Dec 13, 2018 at 2:09 PM Giuseppe Infurna <giusepp...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi all, >>>>>> I'm work fine with >>>>>> >>>>>> cas.authn.token.crypto.encryption-enabled=false >>>>>> cas.authn.token.crypto.encryption.key= >>>>>> >>>>>> >>>>>> Il giorno lunedì 12 novembre 2018 16:44:10 UTC+1, Xavier Rodríguez ha >>>>>> scritto: >>>>>>> >>>>>>> I'm configuring Cas Server 5.3.3. In one service I need to response >>>>>>> a JWT without encryption. Is it possible? >>>>>>> >>>>>>> I have changed in cas.properties: >>>>>>> >>>>>>> cas.authn.token.crypto.encryptionEnabled=false >>>>>>> >>>>>>> But it not has effect. In my service I don't configure the property >>>>>>> too: >>>>>>> >>>>>>> "jwtAsServiceTicketEncryptionKey" >>>>>>> >>>>>>> How can I disable this property? >>>>>>> >>>>>>> Regards! >>>>>>> >>>>>>> - Xavier - >>>>>>> >>>>>> -- >>>>>> - Website: https://apereo.github.io/cas >>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "CAS Community" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to cas-user+u...@apereo.org. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0cdbba7e-75b3-4a5f-9e4b-c68b9e8a233a%40apereo.org >>>>>> >>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0cdbba7e-75b3-4a5f-9e4b-c68b9e8a233a%40apereo.org?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> >>>>> >>>>> -- >>>>> -- >>>>> >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to cas-user+u...@apereo.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc5f9360-536c-4c27-89bd-d6b69c99089f%40apereo.org >>>> >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dc5f9360-536c-4c27-89bd-d6b69c99089f%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >>> >>> >>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+u...@apereo.org <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/202650b5-d998-4539-af60-50218543325f%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/202650b5-d998-4539-af60-50218543325f%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > > > -- > Thanks & regards, > Devendra > Mobile: +49 1748437888 > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c28790e-89e4-41c5-ba72-3f06ef76a3b1%40apereo.org.
