Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

JWT Validation fails - trailing slash on api key of issuer prevents validation

kneuhaus
Explorer

on ‎2022 Aug 31 1:03 PM

0 Likes
712

Hi,

we currently using cdc login (pge) for authentication / login of users (Oauth2). Also we implemented a server-side communication (with apikey + secret and so on) using the given Java SDK Core for CDC.

Works fine, we retrieve accountInfo, etc.

As we want to validate the JWT given from FrontendApplication to our Backend, we ran into an issue in Gigya/CDC Java Authentication SDK in class GsAuthRequestUtils.
In "verifyJWT" the issuer from the JWT-Body is compared to a "valid" issuer (defined URL + ApiKey):

final Jws<Claims> claimsJws = Jwts.parser().setSigningKey(key).parseClaimsJws(jwt);

// #2 - Verify JWT provided api key with input api key.
final String issuer = claimsJws.getBody().getIssuer();
final String validIssuer = "https://fidm.gigya.com/jwt/" + apiKey;

But the issuer ends with an "/" (trailing slash), the "validIssuer" not - these both will compared and always fail - existing the verfication. When removing the trailing slash, all is fine and the JWT gets validated successfully .

if (issuer != null && !issuer.equals(validIssuer)) {
    logger.write("JWT verification failed - apiKey does not match");
    return null;
}

Can anybody "help" to remove this bug ?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (0)

Ask a Question
Top Q&A Solution Author
View all