I have to create a JWS signature and the JOSE header has to look like this :
{
"alg": "HS256",
"kid": "V3vEe66RJm85eD72",
"b64": false,
"http://openbanking.org.uk/iat": 1501497671,
"http://openbanking.org.uk/iss": "C=UK, ST=England, L=London, O=Acme Ltd.",
"crit": ["b64","http://openbanking.org.uk/iat","http://openbanking.org.uk/iss"]
}
Where do I have to put this header in jwt.io website or does someone know other good sites for creating jws signature? The problem is, that when I change the header which is by default there in jwt.io with the header type provided by the documentation it says in jwt.io at the bottom "Invalid Signature" , why ?
You can add the header into the "HEADER" section in the right column of the jwt.io debugger.
Then you add a secret in the field under "VERIFY SIGNATURE" and get a token. Your JOSE Header contains a crit claim, which leads to a "Invalid Signature":
The signature itself is fine, it's just the
crit
claim, that causes an invalid signature error. As soon as you have acrit
claim with a non empty list, the verification fails on jwt.io.You can verify the resulting token
(created with the secret "secret") on https://www.jsonwebtoken.io/ and see that it can be verified. This website seems not to care about the
crit
header and checks only based on the hashing. (note: this website doesn't show the correct header and payload of your token after decoding)Generally you should not take these online tools too serious. They're meant for testing and educational purposes, but not as a production tool.