Description
Unable to verify JWT signature with app Client Secret
Error?
Signature verification failed
How To Reproduce 1. Create a Zoom app 2. After authorizing the app, get an access token from https://zoom.us/oauth/token with the authorization code 2. Verify the signature of the received token with the app Client Secret 3. Signature verification fails
Notes:
The Client Secret is 32 bytes long
The access tokens are signed with the HS512 algorithm
The keys of the HS512 algorithm are 64 bytes long
Are the keys derived from the Client Secret? How should we verify the signature of an access token?
Disclaimer: I don’t need to validate the tokens anymore, since I found another way for solving my problem, I don’t use JWT tokens from Zoom anymore.
But for future reference, I’ll try to explain:
It’s not unusual to use a signed JWT (for example, an ID token) to attribute a 3rd party user (identified by the ID token) in an internal system. For example, the signature of ID tokens signed by Microsoft can be verified via their public OpenID configuration document (see Microsoft docs on OpenID Connect on the Microsoft identity platform)
After validating the token signature, sub or any other property of the token could be used for user attribution. I don’t think I have to explain why validation is crucial when processing third party tokens in this manner.
I do understand that these tokens are usually used on Zoom APIs, where they are validated by Zoom itself, which is perfectly fine. But it would be great if we could tell that a JWT was signed by Zoom or not.
