JWT Access token signature verification

API Endpoint(s) and/or Zoom API Event(s)
https://zoom.us/oauth/token

Description
Unable to verify JWT signature with app Client Secret

Error?
Signature verification failed

How To Reproduce
1. Create a Zoom app
2. After authorizing the app, get an access token from https://zoom.us/oauth/token with the authorization code
2. Verify the signature of the received token with the app Client Secret
3. Signature verification fails

Notes:
The Client Secret is 32 bytes long
The access tokens are signed with the HS512 algorithm
The keys of the HS512 algorithm are 64 bytes long
Are the keys derived from the Client Secret? How should we verify the signature of an access token?

Thanks in advance.

hi @Ferenc
welcome to the community.
Check out some of the youtube videos, there was a series last september that coverred this, an example is this

all the best

John

1 Like

Hi @Ferenc
Can you please share with us what signature you are talking about that you are trying to verify?

Disclaimer: I don’t need to validate the tokens anymore, since I found another way for solving my problem, I don’t use JWT tokens from Zoom anymore.

But for future reference, I’ll try to explain:

It’s not unusual to use a signed JWT (for example, an ID token) to attribute a 3rd party user (identified by the ID token) in an internal system. For example, the signature of ID tokens signed by Microsoft can be verified via their public OpenID configuration document (see Microsoft docs on OpenID Connect on the Microsoft identity platform)

After validating the token signature, sub or any other property of the token could be used for user attribution. I don’t think I have to explain why validation is crucial when processing third party tokens in this manner.

I do understand that these tokens are usually used on Zoom APIs, where they are validated by Zoom itself, which is perfectly fine. But it would be great if we could tell that a JWT was signed by Zoom or not.

1 Like