Hi, I tried looking eveywhere but I couldn’t find anyone with a similar issue.
I am trying to verify the JWT token signature in my backend, signature comes from developer rig.
I got my secret from the backend and I am base64 decoding it, then I try to verify the signature using this library: https://github.com/lcobucci/jwt
Which, other than being recommended by jwt.io works pretty well, been using it for ages in all of my projects.
Code:
$token = (new Parser())->parse((string) AccessToken::readFromRequest($request));
$signer = new Sha256();
// Fails
dd($token->verify($signer, base64_decode('mysecret=')));
I have checked with jwt.io and it is not correct (base64 encoded)
I have found threads referencing an issue with the dev rig using the wrong secret (ie. not the one from the dashboard) is there any way to verify what secret is it using?
Answering my own question, hoping this will be of help.
The dev rig doesn’t look like it uses the secret from the dashboard.
It uses its own special secret which you can find by going to Project details then scroll down to: Run your back-end service locally with the Developer Rig.
Inside you will find a command, that command has a -s parameter which is the actual secret!
Using that in the backend I was able to verify the signature.
That only applies to that particular Dev Rig example/backend. Not as a “general rule”.
Most of use when using the dev rig to build our own extensions don’t pass in the secret via -s, or if we do we pass the one in from our own Extension. You’ve been tripped up by an example extension!
Thing is that I am not launching my backend from the dev rig, it exists independently, is there any way to check which secret is the rig actually using, looks like it’s using that specific token…
I have been trying this for a long while now and I can assure it’s using an arbitrary secret. I have removed all references to the backend and I still get the wrong signature error unless I use the one I got from the backend command.
Is there any way to debug this issue? Is there a way to console.log what secret is the rig using and especially why?
Is there a way to set in the json configuration file a secret?
But I’m not sure as ever extension I have loaded uses the Real ExtensionClientID/Secret, but then they are all pointed at real ID’s for the Frame Properties
Also make sure your Rig is up to date (current version is v1.2.1)
Or consider remaking the project in the rig.
Additionally the problem may stem from having selected a template to create a project from rather than starting fresh.