Realm JWT - "signature is invalid"

Eric_Stimpson · June 24, 2021, 5:33pm

I’m struggling to get JWT authentication working in Realm following the documentation. I’ve gone through all of the steps in the guide, but I persistently get “signature is invalid”. With no other information available in the log, I’m not sure how to trouble shoot. I’m using jwt.io to generate the JWT with the following header and payload:

Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:

{
   "sub": "1234567890",
   "name": "Caleb",
   "iat": 1624553318,
   "exp": 1648849420,
   "aud": "fx-realm-jclla"
}

The Verify Signature is set as follows:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  [secret]
)

and the checkbox “secret base64 encoded” is checked.

I generated the secret using keygen.io and chose the SHA 256-bit Key (previously tried the WEP 256-bit key with identical results).

I then enabled custom JWT authentication in the realm and deployed.

I’m testing using Postman. The CURL version of the request looks like this:

curl --location --request GET 'https://us-east-1.aws.realm.mongodb.com/api/client/v2.0/app/.../graphql' \

--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsI...' \

--header 'Content-Type: application/json' \

--data-raw '{"query":"query {\r\n  salesOrder {\r\n    _id\r\n\t\torderLine {\r\n\t\t  id\r\n\t\t}\r\n\t\torderNumber\r\n  }\r\n}","variables":{}}'

Eric_Stimpson · June 28, 2021, 5:33pm

The issue I was having was related to the call being made with “secret base64 encoded” turned on. It apparently must be false. The docs indicate that this box should be checked, but it doesn’t work with this box checked.

Set up JWT Authentication with MongoDB Realm — MongoDB Realm