warning
To ensure proper authentication with Web3Auth, it is necessary for the JWT header to have the kid
field, while the payload data should have the iat
field.
When configuring Web3Auth's Custom Authentication, you may encounter JWT errors. Below is a list ofthese errors and the necessary steps to resolve them.
- Invalid JWT Verifiers ID field
- Error occurred while verifying params could not verify identity
- Failed to verify JWS signature
- Error occurred while verifying params unable to verify jwt token
- Duplicate Token
- Could not get result from torus nodes Duplicate token found
- Expired Token
- Error occurred while verifying paramstimesigned is more than 1m0s ago
- Mismatch JWT Validation field
- Refresh Tokens?
Invalid JWT Verifiers ID
field.
Error occurred while verifying params could not verify identity
"Error occurred while verifying params could not verify identity" error could be because theverifierIdField
of extraLoginOptions
is different from the one you have set up during thecreation of Verifiers (JWT Verifiers ID
) on the Web3Auth dashboard.
This is the JWT Verifiers ID
field on the Verifier Modal
of the Web3Auth dashboard.
Make sure, this matched with your code.
import { WALLET_ADAPTERS, CHAIN_NAMESPACES } from "@web3auth/base";
await web3auth.connectTo(WALLET_ADAPTERS.OPENLOGIN, {
loginProvider: "jwt",
extraLoginOptions: {
domain: "YOUR-AUTH0-DOMAIN",
verifierIdField: "sub", // <-- This is the JWT Verifiers ID field.
response_type: "token",
scope: "email profile openid",
},
});
Failed to verify JWS signature.
Error occurred while verifying params unable to verify jwt token
"Error occurred while verifying params unable to verify jwt token" error could be because of thefollowing reasons:
- The verifier for your OpenLoginAdapter might be wrong. Check to make sure the
verifier
field isset correctly. - The JWT is not signed with the correct key(JWK).
- The JWKS endpoint is not reachable or doesn't return a valid JWK that was used to sign the JWT.
- The JWKS endpoint is incorrect on the Web3Auth Dashboard. Double check to confirm the correct JWKSendpoint.
- The JWKS is missing the
kid
field. - The
kid
present in the JWT header is not present in the JWKS.
sample jwks
:
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "YOUR-KID", // <-- This is the kid.
"n": "YOUR-N",
"alg": "RS256" // <-- This is the algorithm.
}
]
}
sample jwks endpoint
: https://www.googleapis.com/oauth2/v3/certs
Duplicate token
Could not get result from torus nodes Duplicate token found
Expired token
Error occurred while verifying paramstimesigned is more than 1m0s ago
warning
Web3Auth accepts only those JWTs whose iat
is less than the current time and is not greater than60s
from current time. Regardless of the exp
field of the JWT.
- In short, the JWT is considered expired if the
iat
is greater than 60s
from current time.
"Error occurred while verifying paramstimesigned is more than 1m0s ago 2022-02-24 13:46:05 +0000UTC" error could be because:
- JWT is expired.
- The JWT's
exp
field is less than the current time. - The JWT's
iat
field is greater than 60s
from current time.
Mismatch JWT Validation field
This error occurred when the validation field in the JWT is not matching with the validation fieldentered during the creation of Verifiers on the Web3Auth dashboard.
- This is the
JWT Validation
field on the Verifier Modal
of the Web3Auth configuration. - Make sure, these fields are present in the JWT Payload and matches with the JWT.
Looking for Refresh Tokens?
A Refresh Token is a unique token that is used to obtain additional access tokens from anAuthentication Service Provider. With Web3Auth, we verify the validity of the id_token andcompare its payload value to the JWKS provided by either the Auth provider or your custom JWKS. Andwith Refresh Token, one can get a new id_token. And that id_token will be passed to Web3Auth,essentially making another login request.
What problem does the Refresh Token solve?
It enables users to maintain longer authentication sessions without the need for constant re-login.Although we do not support Refresh Tokens to maintain longer sessions, we do offer sessionmanagement. The Session Management feature allows checking and maintaining existing sessionswith Web3Auth.
During login with Web3Auth, pass the sessionTime
parameter. It will allow users to stayauthenticated with Web3Auth for up to 1 day by default or a maximum of 7 days until they log outor their session data is cleared.
FAQs
JWT Errors
- Invalid JWT Verifiers ID field. Error occurred while verifying params could not verify identity.
- Failed to verify JWS signature. Error occurred while verifying params unable to verify jwt token.
- Duplicate Token. ...
- Expired Token. ...
- Mismatch JWT Validation field.
- Refresh Tokens?
How to fix a JWT error? ›
Check the following:
- Make sure the JWT contains valid JSON.
- Check that the JWT header has the "alg" field and is set to one of the following: "RS256" , "HS256" , "RS384" , "HS384" , "RS512" , or "HS512"
- Check the data type of the following fields (if they are present) in the JWT payload:
How to handle JWT error? ›
Examine the variable identified in Step 1 and check to see if the JWT it contains is valid. If the input JWT is not valid, then that's the cause for the error. In the example API request below, the input JWT is passed in the Authorization request header: See more code actions.
Why JWTs are bad for authentication? ›
JWTs which just store a simple session token are inefficient and less flexible than a regular session cookie, and don't gain you any advantage. The JWT specification itself is not trusted by security experts. This should preclude all usage of them for anything related to security and authentication.
Is JWT obsolete? ›
The JWT app type will be deprecated in June 2023 and we recommend and highly encourage that you start migrating from the JWT app to the newly introduced Server-to-Server OAuth App.
What makes a JWT invalid? ›
The possible underlying root cause boils down usually to be one of these five possible reasons: invalid private key is used for the particular user. invalid login name is used for the particular user (if user's 'NAME' is different from 'LOGIN_NAME', then the latter must be used)
How do you check if JWT is valid or not? ›
To verify JWT claims
- Decode the token and compare the exp claim to the current time.
- If your access token includes an aws. cognito. signin. user. admin claim, send a request to an API like GetUser. ...
- Present your access token in a request to the UserInfo endpoint. Your request returns an error if your token has expired.
What does JWT error mean? ›
A JWT error means that the time set on your computer does not seem to be synced or on automatic.
Can you manipulate a JWT? ›
JWT format
In most cases, this data can be easily read or modified by anyone with access to the token. Therefore, the security of any JWT-based mechanism is heavily reliant on the cryptographic signature.
How do you verify JWT claims? ›
Here are the key steps for performing JWT validation:
- Retrieve and parse the JSON Web Key Set (JWKs)
- Decode the token.
- Verify the claims.
- Verify the signature.
The problem JWT aims to solve
The server authenticates the user, often by checking the entered credentials against a database. Upon successful authentication, a unique session identifier is generated and sent back to the client. This session ID is then stored on the user's device.
Is JWT secure over HTTP? ›
This makes JWT a good choice to be passed in HTML and HTTP environments. Security-wise, SWT can only be symmetrically signed by a shared secret using the HMAC algorithm. However, JWT and SAML tokens can use a public/private key pair in the form of a X.509 certificate for signing.
What is replacing JWT? ›
Paseto, which stands for Platform-Agnostic Security Tokens, is a specification for secure stateless tokens. It provides a modern and better alternative to JWT, addressing some of its inherent vulnerabilities and emphasizing secure defaults and ease of implementation.
Which is better than JWT authentication? ›
OAuth is suitable for delegating user authorization, accessing third-party applications, and session management. JWT is suitable for stateless applications, API authentication, and server-to-server authorization. Learn more about the key differences below.
Is JWT more secure than session? ›
If you prioritize statelessness and scalability, JWT might be your go-to. For traditional applications where immediate control over sessions is crucial, session-based authentication holds the upper hand. Understanding these concepts and their implications is key to developing secure and efficient web applications.
What are the weaknesses of JWT? ›
Disadvantages of JWT Authentication:
Revoking a JWT before expiration requires additional complexity, such as token blacklisting. Security Risks: If the secret key used to sign JWTs is compromised, attackers can create forged tokens. It's crucial to safeguard this key.
What is the security flaw in JWT? ›
JWT attacks involve a user sending modified JWTs to the server in order to achieve a malicious goal. Typically, this goal is to bypass authentication and access controls by impersonating another user who has already been authenticated.
What are the risks of JWT tokens? ›
The absence of encryption in JWT tokens exposes them to information leakage, potentially compromising user privacy when decoded. Attackers can intercept and decode JWT tokens, gaining access to sensitive user data stored within the payload.
What prevents a JWT from being tampered with? ›
The signature is used to verify the message wasn't tampered, that the integrity is maintained, and it also verify the sender of JWT token in case if it is signed with private key.