OAuth access_token signature verification

Description
I setup OAuth application for testing and now I’m able to receive access_token
I see that it is signed JWT, where can I find the key to verify the signature?

Which App Type (OAuth / Chatbot / JWT / Webhook)?
OAuth

Hey @vatuska, thanks for posting and using Zoom!

What do you need to verify the access_token for?

Thanks,
Tommy

Hey, I need to retrieve some claims and the jjwt library complaints that I ignore the signature,
I can split the token and base64 decode the middle part and deserialize the json manually, however it is kind of a good practice to verify the signature of signed tokens :slight_smile:

Hey @vatuska,

Have you tried JWT Decoding the access_token to get the signature?

Here is a related post:

Thanks,
Tommy

Yes, it decodes claims and the header, however, it expects me to know what the secret variable is to verify the signature, when I put my token there, it also complains that the signature is invalid, because there is “your-256-bit-secret” secret value used by default

I need to decode the token on the side of my endpoint (which I use as redirect_uri in OAuth application) to recognize whether this user logged in previously or not.
If I use the library in my code to decode JWT it expects that I know the key to validate the signature and I don’t actually.

I see @vatuska.

Let me get back to you on how to verify the signature. (ZOOM-136554)

Thanks,
Tommy

Did you discover an answer to this? I have the same question.

Hey @mhixson,

I believe the key is your secret key.

Thanks,
Tommy

Where do I find my secret key?

The signing algorithm for the access tokens I get from Zoom is HS512. As I understand it, that means the secret key used to verify the tokens is at least 64 bytes long.

The only “secret” that I know about is my OAuth app’s client secret, which is a 32-character string. I tried repeating that string twice and taking the ascii bytes of the result, giving me 64 bytes to try as a secret key, but that didn’t appear to be the correct key.

Hey @mhixson,

It would be the secret key in your app.

If that is not it, we won’t reveal what the key is.

Thanks,
Tommy

Hey @tommy, the app secret key is not the HS512 key.

It would be nice if Zoom used any asymmetric algorithm like Google, f.e., does.
They have the list of public certificates https://www.googleapis.com/oauth2/v3/certs
And when I need to verify their JWT id_token

  1. I have the “kid” header in the token
  2. I use the corresponding public certificate to verify the signature
  3. I don’t need to know the private key, which Google uses to sign JWT.