jsonwebtoken fails to verify valid token

[samuela]

I have a known valid token, verified with https://jwt.io/. Yet, no matter what I do jsonwebtoken declares InvalidSignature. Here's an example:

fn main() {
  let token = "eyJ0e...available privately on request......hbQQ";

  let pem = "-----BEGIN CERTIFICATE-----
MIIC/TCCAeWgAwIBAgIJIayPWv6q6acCMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNV
BAMTEW51dmVtZnMuYXV0aDAuY29tMB4XDTE5MDEyMTAxMTEyNloXDTMyMDkyOTAx
MTEyNlowHDEaMBgGA1UEAxMRbnV2ZW1mcy5hdXRoMC5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCvsckLZecpNoAx1nsJRo2h1WyEb2Kc7Guard/j
pxxD7QMjCdOPGtWdoAq2yqKceKGhhojgqFMCBhx/eqeScaAl2Kvf59cl7JWxDVJ+
n9givgQVPy5ZczvimZZMQCwr8F7/IJ2kkTdVR0ytNclVGZqmxzrSiTIev0Hlf09W
JaQipRNI5Yv7yCYv1/P6xXozmdtmO0yjjNEXCY/+T36n8S72XUkX6VfKx09ZkLbT
y9gxyg9X7idnr2Jg93m9RmyO8xay1vQBZxkxM4kKYOlLOGpoulolALfgkf9cR09G
zojQxuBKfROCYVLfHMsN3IiNSs1J40/iPea1r+ZsDiTPrbZdAgMBAAGjQjBAMA8G
A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEBuuLqv76vx3TZ7DIe/Y3pk6MjTMA4G
A1UdDwEB/wQEAwIChDANBgkqhkiG9w0BAQsFAAOCAQEAq3fyyi8Sl92P54gIxOhV
Q5OXet4bhETaW792XgMWhfcG/ppbZwT1krWflDps9BzSfNI7WpPAdreYk+hKSuCu
oNVU0imgha+1SKwxcRbW6Gx9XTn7aTIqP7xxk5uRLO79O5Dhy0d/1YVHpJJK2lKZ
Ridu3W1hbBvXPWgtl4jgYPYmoUcFH/jv0PP4H1ka7rnV6JLtqEBB1naSfYhA3U9s
3VvcS03EPDZIoiNzsiPu4qepVbf/mprxFEztR9HCqHGE+1oBxmt+wjfVRgIDGHcY
rWr2f6rC/AfuqOsPayb4SLQIFujxqJ0nwy3CUrlAlfQvYOnrkMQoccj2nklY86kl
Gw==
-----END CERTIFICATE-----";

  let der = openssl::x509::X509::from_pem(pem.as_bytes())
    .unwrap()
    .to_der()
    .unwrap();

  let decoded = jsonwebtoken::decode::<AccessToken>(
    token,
    &der,
    &jsonwebtoken::Validation {
      algorithms: vec![jsonwebtoken::Algorithm::RS256],
      ..Default::default()
    },
  );

  println!("{:?}", decoded)
}

No matter what jsonwebtoken returns Err(Error(InvalidSignature)). The payload looks like:

{
  "https://hasura.io/jwt/claims": {
    "x-hasura-default-role": "user",
    "x-hasura-allowed-roles": [
      "user"
    ],
    "x-hasura-user-id": "......."
  },
  "iss": "https://nuvemfs.auth0.com/",
  "sub": "google-oauth2|.......",
  "aud": [
    "https://nuvenmfs/api",
    "https://nuvemfs.auth0.com/userinfo"
  ],
  "iat": 1552895641,
  "exp": 1552982041,
  "azp": "......",
  "scope": "openid profile email offline_access"
}

[samuela]

Potentially related to #77 ?

[Keats]

It does look related, closing this to keep things in a single thread.

[ndarilek]

@samuela
samuela Looks like you're doing exactly what I am--writing a Hasura auth webhook to verify an Auth0 JWT. Did you ever make any progress on this? Right now I'm just pasting in static tokens/certificates and am hitting this exact same issue. I don't want to give up and switch to Node if I can avoid it. :) Thanks.

[samuela]

@ndarilek I gave up and switched to node :( I wasn't able to find a satisfactory solution with any of the rust jwt libraries unfortunately. Hoping that this aspect of the ecosystem matures in the future...

[ndarilek]

Gotcha. Thanks for saving me some time.