Description
I setup OAuth application for testing and now I’m able to receive access_token
I see that it is signed JWT, where can I find the key to verify the signature?
Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth
Description
I setup OAuth application for testing and now I’m able to receive access_token
I see that it is signed JWT, where can I find the key to verify the signature?
Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth
Hey @vatuska, thanks for posting and using Zoom!
What do you need to verify the access_token for?
Thanks,
Tommy
Hey, I need to retrieve some claims and the jjwt library complaints that I ignore the signature,
I can split the token and base64 decode the middle part and deserialize the json manually, however it is kind of a good practice to verify the signature of signed tokens
Hey @vatuska,
Have you tried JWT Decoding the access_token to get the signature?
Here is a related post:
Thanks,
Tommy
Yes, it decodes claims and the header, however, it expects me to know what the secret variable is to verify the signature, when I put my token there, it also complains that the signature is invalid, because there is “your-256-bit-secret” secret value used by default
I need to decode the token on the side of my endpoint (which I use as redirect_uri in OAuth application) to recognize whether this user logged in previously or not.
If I use the library in my code to decode JWT it expects that I know the key to validate the signature and I don’t actually.
Did you discover an answer to this? I have the same question.
Where do I find my secret key?
The signing algorithm for the access tokens I get from Zoom is HS512. As I understand it, that means the secret key used to verify the tokens is at least 64 bytes long.
The only “secret” that I know about is my OAuth app’s client secret, which is a 32-character string. I tried repeating that string twice and taking the ascii bytes of the result, giving me 64 bytes to try as a secret key, but that didn’t appear to be the correct key.
Hey @mhixson,
It would be the secret key in your app.
If that is not it, we won’t reveal what the key is.
Thanks,
Tommy
Hey @tommy, the app secret key is not the HS512 key.
It would be nice if Zoom used any asymmetric algorithm like Google, f.e., does.
They have the list of public certificates https://www.googleapis.com/oauth2/v3/certs
And when I need to verify their JWT id_token
I’d also appreciate, if we could verify the JWT signature.
Hey @pavol.slido,
You can verify the JWT token because it is generated by you. Can you elaborate more?
Thanks,
Tommy