https://supertokens.com/ logo
Title
l

Leonxx

10/07/2022, 8:52 AM
Hello. guys. I have a question about microservice JWT verification. Been following through the docs but still didn't understand
p

porcellus

10/07/2022, 8:53 AM
hi. ask away 🙂
l

Leonxx

10/07/2022, 8:55 AM
This is from your docs.
my question is it can be used.
jwt should be taken from headers?
p

porcellus

10/07/2022, 8:58 AM
The most straightforward way to do machine-to-machine auth is the authorization header I'd say.
just to clarify: this is between two of your microservices?
l

Leonxx

10/07/2022, 9:01 AM
yes.
p

porcellus

10/07/2022, 9:01 AM
So yeah, I'd use an authorization header to transfer this token between them.
l

Leonxx

10/07/2022, 9:06 AM
yes I understand that. give me a sec I will try something
I send a request from UI. I receive data and forward this request with generated JWT token to MS. I receive this JWT and I hve trouble with verifing it
Thos are headers that I receive on MS
p

porcellus

10/07/2022, 10:09 AM
how are you sending/parsing this header? I'm just guessing but you might be missing a base 64 decode while parsing it.
l

Leonxx

10/07/2022, 10:10 AM
there is nothing said about base 64
jwt I should get from headers.authorization right?
p

porcellus

10/07/2022, 10:12 AM
sure, but the authorization header in your screenshot looks like it has been base 64 encoded
l

Leonxx

10/07/2022, 10:13 AM
I'm using your library and nothing more
p

porcellus

10/07/2022, 10:14 AM
can you show me how you make the call to the other microservice?
or how you are adding the authorization header?
oh I see. the screenshot was just cut off weirdly and I missed "."s
what goes wrong while verifying it?
also, you can copy and paste the token into jwt.io to check
l

Leonxx

10/07/2022, 10:24 AM
token is not valid
token generated by createJWT is not walid in jwt.io
p

porcellus

10/07/2022, 10:25 AM
hmm, could you paste the token here?
l

Leonxx

10/07/2022, 10:26 AM
eyJraWQiOiI0NTg5NDcxYS1lMDQ1LTQ3ZGQtOGY3NC1lNjFlNDNkOTVmODEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJkYXRhIjoic2RmIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwic291cmNlIjoibWljcm9zZXJ2aWNlIiwiZXhwIjo0ODE4NzM4MzczLCJpYXQiOjE2NjUxMzgzNzJ9.EgOymmM2uuaSIe09P6jAWIaI6Pg6M1mvF8KF1XqKN0_MpF3ZdTbKB_5KoQtYrQqX567x-Xqu55IAgRhyA9RC0XD3aXekOkRW5TsnCq1dK_xPKK-pdVGpNtAgSDMdj99worepk8qIBKQYkU68RG_DauGbCUDzRFV4Rb-dk6xObFv0GxEcIU3pMz45ynPqIWZwexIWy2i-W7flUdq-AYugzoZlR_qGLnjnvQkrQIi8UTiadsTQFUfCwJYODKsuT0Rqz9o2qJ7ghFf9IcxqJX7A-8EdsIKj1r2K5RMGtPyOr4PyZ4oQpJdaJTAdTT_i0hcY7fQJTO8OQ6MI7g2bg1hSdQ
p

porcellus

10/07/2022, 10:27 AM
pasting this seems to be working for me
I mean they can't check the signature of course, because they'd need the jwks endpoint of backend to do that.
l

Leonxx

10/07/2022, 10:29 AM
So it should be invalid then?
p

porcellus

10/07/2022, 10:29 AM
the signature checking won't work on jwt.io if you don't copy/paste your keys, that's correct. but on the right you should be able to see your data decoded.
l

Leonxx

10/07/2022, 10:30 AM
yes that I saw
p

porcellus

10/07/2022, 10:30 AM
what goes wrong/what exception are you getting while verifying the token?
can you also show how you are doing that?
right, so please try and log the value of the jwt before calling verify.
what I think you'll find is that you didn't cut off the "Bearer " prefix
l

Leonxx

10/07/2022, 10:34 AM
nope I didn't
but in this case should I send this prefix?
p

porcellus

10/07/2022, 10:34 AM
that's the standard way of doing it. but you don't really need it.
it's between your own microservices... so it's your call.
l

Leonxx

10/07/2022, 10:37 AM
Ok i does work
p

porcellus

10/07/2022, 10:38 AM
great 🙂
l

Leonxx

10/07/2022, 10:40 AM
so it will be cool if you add that to your docs that user don't need to use bearer or the need to cut of that or just include siome function that will cut of that bearer for the user
Overall I am still learning supertokens and I'm pretty happy about that. But docs sometimes are not straight forward
p

porcellus

10/07/2022, 10:41 AM
any feedback and suggestions are welcome 🙂
I'm not sure where we'd add this advice, since we never recommend adding the bearer prefix (or offer advice on how you can transport this between microservices I think)
ooh, right. I was looking at the main jwt docs, not the microservice specific ones. I thought the search function worked across these recipes
I'll open an issue about this in our docs repo or you can open one as well if you'd like to track this 🙂