WeakKeyException when trying to retreive JWT Token

Description
I am trying to write Java code (to be run on the server side) to get the JWT token programatically. I have a JWT App with API Key and secret from the same. When running the code, I get an exception

Error
The full error message or issue you are running into.
Exception in thread “main” io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 80 bits which is not secure enough for any JWT HMAC-SHA algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size). Consider using the io.jsonwebtoken.security.Keys#secretKeyFor(SignatureAlgorithm) method to create a key guaranteed to be secure enough for your preferred HMAC-SHA algorithm. See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.
at io.jsonwebtoken.security.Keys.hmacShaKeyFor(Keys.java:96)

Which App Type (OAuth / Chatbot / JWT / Webhook)?
JWT

Which Endpoint/s?
Not yet got there

How To Reproduce (If applicable)
private** void createJWTToken() {
Map<String, Object> header = new HashMap<>();
header.put(“alg”, “HS256”);
header.put(“type”, “JWT”);
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm. HS256 ;
SecretKey key = Keys. hmacShaKeyFor (“SECRET_KEY”.getBytes(StandardCharsets. UTF_8 ));
String jwt = null ;
jwt = Jwts. builder ()
.setHeader(header)
.setIssuer( API_KEY )
.setExpiration( new Date( new Date().getTime()+80000000))
.signWith(key, signatureAlgorithm).compact();
System. out .println(jwt);
}

Screenshots (If applicable)
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Modified code to
@SuppressWarnings(“deprecation”)

private void createJWTToken() {

SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm. HS256 ;

//SecretKey key = Keys.hmacShaKeyFor(SECRET_KEY.getBytes(StandardCharsets.UTF_8));

String jwt = null ;

try {

jwt = Jwts. builder ()

.setHeaderParam(“typ”, “JWT”)

.setIssuer( API_KEY )

.setExpiration( new Date( new Date().getTime()+80000000))

//.signWith(key, signatureAlgorithm)

.signWith(signatureAlgorithm, SECRET_KEY .getBytes(“UTF-8”))

.compact();

} catch (InvalidKeyException | UnsupportedEncodingException e) {

e.printStackTrace();

}

System. out .println(jwt);

}

and now getting
Exception in thread “main” java.lang.AbstractMethodError: io.jsonwebtoken.impl.DefaultJwtBuilder.signWith(Ljava/security/Key;Lio/jsonwebtoken/SignatureAlgorithm;)Lio/jsonwebtoken/JwtBuilder;

Used oracle.security.restsec.jwt.JwtToken and it works fine.

1 Like

Happy to hear you got it working @ajay.prabhakaran! :slight_smile:

Thanks,
Tommy