what is the cause of the "JWT validation failed: BAD_FORMAT" error?

972 views
Skip to first unread message

AL

unread,
Apr 18, 2017, 2:20:14 PM4/18/17
to Google Cloud Endpoints
I am configuring Cloud Endpoints to perform custom user validation according to the instructions below:


In the security definition, x-google-jwks_uri points to an url that returns a list public keys in the following format:

{
  "keys": [
    {
      "alg": "RS256", 
      "e": "AQAB", 
      "kid": "MTQ5MjQ3MjcwMQ==", 
      "kty": "RSA", 
      "n": "nYRk5xM6VKyXnoUO4B0VS7tsc58vq0A04BTKl1XqO00NEJVdMCD_g8xt7dnldBsKV4FbiOZ_q1PHSj3BxPwxxD1tEtxYHZFFaY4uWfya1TZz-SJC-1V0u68cQaIbeCTQjupdGsd0dQGm3hmedB32zXNxwRJ_8tZw_HpV_YOB4JmZ8hQFTPQ5xQNAmuGlLf8xqEMeY2CC7dnKQvZoaZkbbOerLXsoCyKX9ZFK7gdBJJ_U_YD0s3dpGeAm_DcRfhzcoYh35rdDQyFb0lCqUSLHPyklAnB-__G7mdfVUQSwwA-7UV-jgeU5N_rgLWd-eko-QtNuFU8mSDKHkDpAPow2PQ", 
      "use": "sig"
    }, 
    ...
  ]
}

I am getting the following response from Endpoints.

{ "code": 16, "message": "JWT validation failed: BAD_FORMAT", "details": [ { "@type": "type.googleapis.com/google.rpc.DebugInfo", "stackEntries": [], "detail": "auth" } ] }

Checking the nginx.response log in stackdriver reveals that the return HTTP status code is 401 for the get request.

I am able to decode the JWT using jwt.io. How can I find out more information about the error and the fixes? Thanks. 

Sarvani Vakkalanka

unread,
Apr 18, 2017, 3:22:11 PM4/18/17
to AL, Google Cloud Endpoints
When you decode your JWT are you able to see the following claims in the payload: "iss", "aud", "sub"?

Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/dcf05ef8-d5a0-429d-a9d5-a9f602412259%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

AL

unread,
Apr 18, 2017, 3:33:53 PM4/18/17
to Google Cloud Endpoints, zl...@slb.com
The jwt token has the following payload. It's missing "sub". Is that a problem?

  "iss": "xxx",
  "userid": "xxx",
  "authz": "",
  "client": "xxx",
  "exp": "1492619831",
  "iat": "1492533431",
  "provider": "xxx",
  "aud": "xxx",
  "email": "xxx"

Sarvani Vakkalanka

unread,
Apr 18, 2017, 3:46:07 PM4/18/17
to AL, Google Cloud Endpoints
Yes. ESP requires that the sub claim be present in the JWT token.

Thanks,
Sarvani

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/97db990f-7b58-4be7-9692-9cbc11db91c7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

AL

unread,
Apr 18, 2017, 4:03:29 PM4/18/17
to Google Cloud Endpoints, zl...@slb.com
I see. Does "sub" need to match any of the attributes in the security declaration? For example, it seems that "iss" matches x-google-issuer, and "aud" matches one of the comma delimited names declared in "x-google-audiences".

On a related subject, I noticed that ESP extracts "email", "id", "issuer" from the JWT token and pass it as part of the X-Endpoint-API-UserInfo header. Are the list of claims passed to the back-end service fixed or configurable? 

AL
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/dcf05ef8-d5a0-429d-a9d5-a9f602412259%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/97db990f-7b58-4be7-9692-9cbc11db91c7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Sarvani Vakkalanka

unread,
Apr 18, 2017, 4:11:49 PM4/18/17
to AL, Google Cloud Endpoints
Right now these fields are fixed. The sub field does not have to match anything in the security declaration.

Thanks,
Sarvani

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/6443f7a4-e0fe-40b8-85e7-8d7726d131b2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Sarvani Vakkalanka

unread,
Apr 19, 2017, 7:00:49 PM4/19/17
to AL, Google Cloud Endpoints
Responding to global thread. We have debugged the issue and looks like we have two issues with the JWT token:
1) There is no "sub" claim in the token.
2) The exp and iat fields are strings but they should be numbers as follows:
"exp": 1492619831,
"iat": 1492533431,

Thanks,
Sarvani




--
Thanks,
Sarvani



--
Thanks,
Sarvani

Alex Van Boxel

unread,
Apr 25, 2017, 1:53:28 PM4/25/17
to Google Cloud Endpoints, zl...@slb.com
I have a similar problem, is there any way we can get extra information about the BAD_FORMAT error. Without decent feedback it's very frustrating to troubleshoot.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

Sarvani Vakkalanka

unread,
Apr 25, 2017, 1:59:57 PM4/25/17
to Alex Van Boxel, Google Cloud Endpoints, AL
Hi Alex, 

We are working on making the error messages more informative. Apologies for the inconvenience. Please make sure your JWTs have the following required fields:
"sub", "aud" and "iss". Make sure that the "exp" and "iat" fields are numerical values and NOT strings. Let me know if you still see the BAD_FORMAT error after the checks. 
If you are comfortable, you can provide me the JWT so I can  look at it and check what is going on.

Thanks,
Sarvani

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/53dbf4fa-e688-4e6c-b70a-842f845ac7fa%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Alex Van Boxel

unread,
Apr 25, 2017, 2:21:30 PM4/25/17
to Google Cloud Endpoints, alex.v...@gmail.com, zl...@slb.com
eyJhbGciOiJSUzI1NiIsImF1ZCI6InFhdWQiLCJleHAiOjE0OTMxNDAzODUsImlhdCI6MTQ5MzEzNjc4NSwiaXNzIjoicWlzcyIsInN1YiI6InN1YmplY3QifQ.eyJpbmZvIjoiSSdtIGEgc2lnbmVkIHRva2VuIn0.imhco9HANmLfv-pQjeecOEz_7xdxIMMcTL9qQHfofMNKDn_NtJJjSEOpHgSbanuDIPAn9iVxaQg_IIpsurNPo6OEkGv6jMhfmsJI5YHic8bGUNgy-0NyqiHEL1YLA7qDaxTPoc4I6EhItqEfK168S3QFQ5MHYrRXINcRodhXGtn8nD_H6wIHd4pKPDeFJStfwTUVtET2eeFpbU6h9Knv5fKTQjpQOke4FJXG5TMkk3ojtfiJtKF_ZJVjY-RcKyHQNrimaegcGssPihyfeU9U7CWPJxSgblviPXI_BjmQbGlmZWTEluBuhhOnr2zr8tOU9zkWWlippZM_-1wsFBhRPg

Decoded by jwt.io:

header:
{
  "alg": "RS256",
  "aud": "qaud",
  "exp": 1493140385,
  "iat": 1493136785,
  "iss": "qiss",
  "sub": "subject"
}
payload:
{
  "info": "I'm a signed token"
}

Public Key URL:

Endpoints YAML:
quantum_jwt:
  authorizationUrl: ""
  flow: "implicit"
  type: "oauth2"
  x-google-issuer: "qiss"
  x-google-jwks_uri: "https://storage.googleapis.com/vex-eu-data/tmp/jwkset_pub.json"
  x-google-audiences: "qaud"
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/53dbf4fa-e688-4e6c-b70a-842f845ac7fa%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Sarvani Vakkalanka

unread,
Apr 25, 2017, 2:26:00 PM4/25/17
to Alex Van Boxel, Google Cloud Endpoints, AL
Hi Alex,

Except for the "alg" field, the rest of the fields should be in the payload.

Here is the how the JWT would look:

header:
{
  "alg": "RS256",
}
payload:
{
  "aud": "qaud",
  "exp": 1493140385,
  "iat": 1493136785,
  "iss": "qiss",
  "sub": "subject"
  "info": "I'm a signed token"
}

Typically the headers are created by a JWT helper library that will also be able to sign the JWT with your secret once you provided the payload.

Let me know if you have anymore questions.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsubscri...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/77e69f7b-68a9-4fdb-8864-840d29af58d2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

Alex Van Boxel

unread,
Apr 25, 2017, 3:30:49 PM4/25/17
to Google Cloud Endpoints, alex.v...@gmail.com, zl...@slb.com
Thanks, this completely de-blocked me. Now I can start testing.

Thanks again!
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.



--
Thanks,
Sarvani

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/77e69f7b-68a9-4fdb-8864-840d29af58d2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Thanks,
Sarvani

jer...@vroom.com

unread,
May 13, 2017, 1:02:34 PM5/13/17
to Google Cloud Endpoints
Alex, what lib are you using to create your JWT? Or are you just building it yourself based on the docs?
Reply all
Reply to author
Forward
0 new messages