OAuth access_token signature verification

vatuska · February 5, 2020, 4:10pm

Description
I setup OAuth application for testing and now I’m able to receive access_token
I see that it is signed JWT, where can I find the key to verify the signature?

Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth

tommy · February 5, 2020, 5:34pm

Hey @vatuska, thanks for posting and using Zoom!

What do you need to verify the access_token for?

Thanks,
Tommy

vatuska · February 5, 2020, 5:49pm

Hey, I need to retrieve some claims and the jjwt library complaints that I ignore the signature,
I can split the token and base64 decode the middle part and deserialize the json manually, however it is kind of a good practice to verify the signature of signed tokens

tommy · February 5, 2020, 6:01pm

Hey @vatuska,

Have you tried JWT Decoding the access_token to get the signature?

Here is a related post:

Thanks,
Tommy

vatuska · February 5, 2020, 6:43pm

Yes, it decodes claims and the header, however, it expects me to know what the secret variable is to verify the signature, when I put my token there, it also complains that the signature is invalid, because there is “your-256-bit-secret” secret value used by default

I need to decode the token on the side of my endpoint (which I use as redirect_uri in OAuth application) to recognize whether this user logged in previously or not.
If I use the library in my code to decode JWT it expects that I know the key to validate the signature and I don’t actually.

tommy · February 5, 2020, 9:07pm

I see @vatuska.

Let me get back to you on how to verify the signature. (ZOOM-136554)

Thanks,
Tommy

mhixson · March 31, 2020, 9:03pm

Did you discover an answer to this? I have the same question.

tommy · April 1, 2020, 6:59am

Hey @mhixson,

I believe the key is your secret key.

Thanks,
Tommy

mhixson · April 1, 2020, 8:00pm

Where do I find my secret key?

The signing algorithm for the access tokens I get from Zoom is HS512. As I understand it, that means the secret key used to verify the tokens is at least 64 bytes long.

The only “secret” that I know about is my OAuth app’s client secret, which is a 32-character string. I tried repeating that string twice and taking the ascii bytes of the result, giving me 64 bytes to try as a secret key, but that didn’t appear to be the correct key.

tommy · April 2, 2020, 6:31am

Hey @mhixson,

It would be the secret key in your app.

If that is not it, we won’t reveal what the key is.

Thanks,
Tommy

vatuska · April 9, 2020, 12:15pm

Hey @tommy, the app secret key is not the HS512 key.

It would be nice if Zoom used any asymmetric algorithm like Google, f.e., does.
They have the list of public certificates https://www.googleapis.com/oauth2/v3/certs
And when I need to verify their JWT id_token

I have the “kid” header in the token
I use the corresponding public certificate to verify the signature
I don’t need to know the private key, which Google uses to sign JWT.

tommy · April 10, 2020, 7:00am

Hey @vatuska,

I will bring this up to the team for discussion.

Thanks,
Tommy

pavol.slido · April 16, 2020, 7:56pm

I’d also appreciate, if we could verify the JWT signature.

tommy · April 17, 2020, 7:51pm

Hey @pavol.slido,

You can verify the JWT token because it is generated by you. Can you elaborate more?

Thanks,
Tommy

Topic		Replies	Views
Verifying access token signature API and Webhooks	2	464	February 23, 2023
Jwt Token Validation API and Webhooks	4	965	August 21, 2020
Token signature invalid API and Webhooks	4	2030	August 10, 2018
Validating access JWT signature Authentication jwt	3	660	February 24, 2023
The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA256 javascript API and Webhooks	2	724	February 8, 2021

OAuth access_token signature verification

Related Topics