Layer7 API Management

Expand all | Collapse all

Decode Out of box generated JWT 

  • 1.  Decode Out of box generated JWT 

    Posted 03-20-2018 12:22 PM

    Hi all, I'm trying to decode out of box generated JWT by an android application.JWT is signed using private key using SHA256withRSA, I'm simply trying to decode it using Decode JWT assertion using the correct public key,but it's not able to verify the same. While comparing with encoded string generated by gateway's Encode JWT assertion i found that the encoded string being sent by application is having some extra special characters[i assume those are padded characters, not sure though]. what flow do i need to follow or what extra assertions i need in place to verify signature and get the payload?




  • 2.  Re: Decode Out of box generated JWT 

    Posted 03-20-2018 01:01 PM
      |   view attached

    Would you be able to provide a sample policy and the JWT?

    I have also attached a small sample here to encode/sign, decode/verify signature that may help you.


    You will need to update the encode/decode assertions to match your keys.





  • 3.  Re: Decode Out of box generated JWT 

    Posted 03-21-2018 04:00 AM

    Hi Joe,

    In my scenario JWT is signed & encoded by Android APP itself, so we're just decoding the received payload which looks like below


    Header: eyJhb......{"Alg":"RS256"}

    Payload: eyJpc3MiOiA.................................................{JSON Payload}

    Signature: tNsz............+oQkJ8............


    If you see above signature, there are few special characters present which might be causing issue, i'm not sure as i tried removing those characters as well. so what i'm stuck at is how to verify the signature part? as mentioned earlier SHA256withRSA is being used by application. My flow goes something as below:



  • 4.  Re: Decode Out of box generated JWT 

    Posted 03-23-2018 11:27 AM

    Are you using MAG for the mobile app? It does not appear to be the case, but want to confirm.

    The value does not look to be base64url encoded, just base64 which seem like it can throw problems for our decode.


    I would make sure the app uses the proper encoding. You may also want to take a look at the SSG log for any errors. Additionally, adding the 'Customize SOAP Fault' assertion and setting to full detail can provide some meaningful feedback through to the user agent.