warning
To ensure proper authentication with Web3Auth, it is necessary for the JWT header to have the kidfield, while the payload data should have the iat field.
When configuring Web3Auth's Custom Authentication, you may encounter JWT errors. Below is a list ofthese errors and the necessary steps to resolve them.
- Invalid JWT Verifiers ID field
- Error occurred while verifying params could not verify identity
- Failed to verify JWS signature
- Error occurred while verifying params unable to verify jwt token
- Duplicate Token
- Could not get result from torus nodes Duplicate token found
- Expired Token
- Error occurred while verifying paramstimesigned is more than 1m0s ago
- Mismatch JWT Validation field
- Refresh Tokens?
Invalid JWT Verifiers ID field.
Error occurred while verifying params could not verify identity
"Error occurred while verifying params could not verify identity" error could be because theverifierIdField of extraLoginOptions is different from the one you have set up during thecreation of Verifiers (JWT Verifiers ID) on the Web3Auth dashboard.
This is the
JWT Verifiers IDfield on theVerifier Modalof the Web3Auth dashboard.See AlsoInsecure JSON Web Tokens | The Hacker RecipesThe criticisms of JWT seem to fall into two categories: (1) Criticizing vulnerab...JWT vs PASETO: New Era of Token-Based AuthenticationTop 10 JSON Web Token (JWT) Weaknesses | SecOps® Solution
Make sure, this matched with your code.
import { WALLET_ADAPTERS, CHAIN_NAMESPACES } from "@web3auth/base";
await web3auth.connectTo(WALLET_ADAPTERS.OPENLOGIN, {
loginProvider: "jwt",
extraLoginOptions: {
domain: "YOUR-AUTH0-DOMAIN",
verifierIdField: "sub", // <-- This is the JWT Verifiers ID field.
response_type: "token",
scope: "email profile openid",
},
});
Failed to verify JWS signature.
Error occurred while verifying params unable to verify jwt token
"Error occurred while verifying params unable to verify jwt token" error could be because of thefollowing reasons:
- The verifier for your OpenLoginAdapter might be wrong. Check to make sure the
verifierfield isset correctly. - The JWT is not signed with the correct key(JWK).
- The JWKS endpoint is not reachable or doesn't return a valid JWK that was used to sign the JWT.
- The JWKS endpoint is incorrect on the Web3Auth Dashboard. Double check to confirm the correct JWKSendpoint.
- The JWKS is missing the
kidfield. - The
kidpresent in the JWT header is not present in the JWKS.
sample jwks:
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "YOUR-KID", // <-- This is the kid.
"n": "YOUR-N",
"alg": "RS256" // <-- This is the algorithm.
}
]
}
sample jwks endpoint: https://www.googleapis.com/oauth2/v3/certs
Duplicate token
Could not get result from torus nodes Duplicate token found
"Could not get result from torus nodes Duplicate token found" error is thrown when the JWT is senttwice in the same request.
await web3auth.connectTo(WALLET_ADAPTERS.OPENLOGIN, {
loginProvider: "jwt",
extraLoginOptions: {
id_token: "ID_TOKEN", // <-- JWT should be unique for each request.
verifierIdField: "sub",
},
});
Expired token
Error occurred while verifying paramstimesigned is more than 1m0s ago
warning
Web3Auth accepts only those JWTs whose iat is less than the current time and is not greater than60s from current time. Regardless of the exp field of the JWT.
- In short, the JWT is considered expired if the
iatis greater than60sfrom current time.
"Error occurred while verifying paramstimesigned is more than 1m0s ago 2022-02-24 13:46:05 +0000UTC" error could be because:
- JWT is expired.
- The JWT's
expfield is less than the current time. - The JWT's
iatfield is greater than60sfrom current time.
Mismatch JWT Validation field
This error occurred when the validation field in the JWT is not matching with the validation fieldentered during the creation of Verifiers on the Web3Auth dashboard.
- This is the
JWT Validationfield on theVerifier Modalof the Web3Auth configuration. - Make sure, these fields are present in the JWT Payload and matches with the JWT.
Looking for Refresh Tokens?
A Refresh Token is a unique token that is used to obtain additional access tokens from anAuthentication Service Provider. With Web3Auth, we verify the validity of the id_token andcompare its payload value to the JWKS provided by either the Auth provider or your custom JWKS. Andwith Refresh Token, one can get a new id_token. And that id_token will be passed to Web3Auth,essentially making another login request.
What problem does the Refresh Token solve?
It enables users to maintain longer authentication sessions without the need for constant re-login.Although we do not support Refresh Tokens to maintain longer sessions, we do offer sessionmanagement. The Session Management feature allows checking and maintaining existing sessionswith Web3Auth.
During login with Web3Auth, pass the sessionTime parameter. It will allow users to stayauthenticated with Web3Auth for up to 1 day by default or a maximum of 7 days until they log outor their session data is cleared.
