creating JWT with header, payload and signature in java

Question

i want to generate a jwt for a given header, payload and a secret key.

my header;

{ "typ": "JWT", "alg": "HS256" }

my payload;

{ "iss": "46181382", "ist": "project", "iat": 1536225835, "exp": 1536226835, "jti": "abcdefghi" }

my secret key; 105446462291847624638651561dfg156148df941819498

here is my java code, it already create an jwt. but i think the secret key is not get included to it. because once i use that jwt for my header in tokbox api call i get the following response.

 {
"code": -1,
"message": "Invalid signature",
"description": "Invalid signature"
}

here is the code;

    byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary("105446462291847624638651561dfg156148df941819498");
    Key signingKey = new SecretKeySpec(apiKeySecretBytes, SignatureAlgorithm.HS256.getJcaName());

    Map map = new HashMap<String,Object>();
    map.put("alg","HS256");
    map.put("typ","JWT");

    String jwt = Jwts.builder()
            .setHeader(map)
            .claim("iss", "46181382")
            .claim("ist", "project")
            .claim("iat", currentTimeSeconds())
            .claim("exp", expireTimeSeconds())
            .claim("jti", "abcdefghi")
            .signWith(SignatureAlgorithm.HS256,signingKey)
            .compact();

currentTimeSeconds() and expireTimeSeconds() are methods written by myself. i am sure there is no issue with them. I am not sure with this .signWith() method.

Could any one please help me.

Thank you.

That doesn't look like a opentok secret, they usually contain letters. Are you just trying to generate an opentok token? There's is a Java SDK to help if so https://tokbox.com/developer/guides/create-token/java/ Also don't post any secret keys on StackOverflow, someone could use them. — maikthomas, Sep 06 '18 at 11:54
It looks like your expire time is 7 minutes after your issue time. Per the OpenTok docs, the expiration time can be no more than 5 minutes after the issue time. That may be your issue. https://tokbox.com/blog/jwt-the-new-authentication-scheme-for-opentok-rest-endpoints/ — adrice727, Sep 06 '18 at 23:34
@benjaminc yes it is a valid secret key. I want to know whether is this code correct? — Dhanushka Sampath, Sep 07 '18 at 03:55
@maikthomas I want to generate the jwt. I have already generated the session id and token. also this is not my real secret key. i just added some numbers. — Dhanushka Sampath, Sep 07 '18 at 03:57
@adrice727 my expiration time is less than 5 minutes. I think there is no issue with time. I have the dough with signwith () part. — Dhanushka Sampath, Sep 07 '18 at 04:06
I did some more change to my code as above. but it also didn't work. it means the required JWT not generated — Dhanushka Sampath, Sep 07 '18 at 06:00
Hi all..I found the answer. thank you so much for your interest on my question. — Dhanushka Sampath, Sep 07 '18 at 06:20

score 0 · Answer 1 · answered Sep 07 '18 at 06:19

I found the answer. In the above code the secret key should be given as Base64URL encoded value. it means the first line should change as follows.

byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary("MTA1NDQ2NDYyMjkxODQ3NjI0NjM4NjUxNTYxZGZnMTU2MTQ4ZGY5NDE4MTk0OTg=");

creating JWT with header, payload and signature in java

1 Answers1