OpenIG 4.0:JWT signature does not match locally computed signature

This topic contains 2 replies, has 2 voices, and was last updated by  srinath.m 1 year, 1 month ago.

  • Author
  • #22422

    Hi All,

    Iam getting below exception in OpenIG custom java filter code.
    I have set the sharedSecret in properties file which is loading dynamically.
    encodedJwt = This is getting from OpenAM after login as a user.
    encodingFormat = UTF-8

    encodedJwtArray = statelessSessionToken.split(Pattern.quote(MineConstants.ASTERISK));
    encodedJwt = encodedJwtArray[2];
    Claims claims = Jwts.parser().setSigningKey(sharedSecret.getBytes(encodingFormat)).parseClaimsJws(encodedJwt);

    Error :
    io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
    at io.jsonwebtoken.impl.DefaultJwtParser.parse(
    at io.jsonwebtoken.impl.DefaultJwtParser.parse(
    at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(
    at OpenIGFiltersMine.customOpenIGFiltersMine.MineUtils.verifyJWTSignatureAndGetJSONString(
    at OpenIGFiltersMine.customOpenIGFiltersMine.SampleFilter.processSSOToken(
    at OpenIGFiltersMine.customOpenIGFiltersMine.SampleFilter.filter(
    at org.forgerock.http.handler.Chain.handle(
    at org.forgerock.openig.filter.Chain.handle(
    at org.forgerock.openig.handler.DispatchHandler.handle(
    at org.forgerock.http.handler.Chain.handle(
    at org.forgerock.openig.handler.router.NullResponseFilter.filter(
    at org.forgerock.http.handler.Chain.handle(
    at org.forgerock.openig.filter.RuntimeExceptionFilter.filter(
    at org.forgerock.http.handler.Chain.handle(
    at org.forgerock.openig.handler.router.Route.handle(
    at org.forgerock.openig.handler.router.RouterHandler.handle(
    at org.forgerock.openig.audit.decoration.AuditHandler.handle(
    at org.forgerock.openig.decoration.capture.CaptureHandler.handle(
    at org.forgerock.http.handler.Chain.handle(
    at org.forgerock.http.routing.Router.handle(
    at org.forgerock.http.handler.Chain.handle(
    at org.forgerock.http.filter.TransactionIdInboundFilter.filter(
    at org.forgerock.http.handler.Chain.handle(
    at org.forgerock.http.servlet.HttpFrameworkServlet.service(
    at javax.servlet.http.HttpServlet.service(
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(
    at org.apache.catalina.core.StandardWrapperValve.invoke(
    at org.apache.catalina.core.StandardContextValve.invoke(
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
    at org.apache.catalina.core.StandardHostValve.invoke(
    at org.apache.catalina.valves.ErrorReportValve.invoke(
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(
    at org.apache.catalina.core.StandardEngineValve.invoke(
    at org.apache.catalina.connector.CoyoteAdapter.service(
    at org.apache.coyote.http11.AbstractHttp11Processor.process(
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$ Source)
    at org.apache.tomcat.util.threads.TaskThread$
    at Source)

    OpenIG version = 4.0

    Any help on this would be appreciated.

    • This topic was modified 1 year, 1 month ago by  srinath.m.

    Hi srinath.m,

    I understand that you get the signed-JWT from AM (stateless) but without knowing your AM configuration and without seeing the JWT it is not easy to help you.
    What I could suggest is to verify your AM configuration (which version?) and double checked that you have provided the same key when you had configured your stateless sessions as the one you are using for verifying the signature.

    About the JWT, they are usually separated by dot (.) and not asterisks (*) and their format is just (for a JWS). For extracting the data from the JWT, you could do a simple .split("\\."); then signature is the last part of the JWT.


    Thanks @violette for pointing me in the right direction. Iam using OpenAM 13 version. I have given wrong JWT sharedSecret in the properties file. After correcting this it works fine. Thanks again.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?