Include custom headers with password

[unmultimedio]

Hello. I've found in your documentation:

require 'jwt'

payload = {:data => 'test'}

# IMPORTANT: set nil as password parameter
token = JWT.encode payload, nil, 'none', { :typ => "JWT" }

But what happens when we want to add custom headers using a password?

I'm trying to generate a JWT for a chat service called Smooch. Here's their docs.

They have an example in node.js server, and I've found this gem is quite popular for rails server to generate those. I tried this:

def smooch_jwt
    payload = {
      scope: 'appUser',
      userId: smooch_user_id
    }

    header_fields = {
      alg: 'HS256',
      typ: 'JWT',
      key: ENV['SMOOCH_KEY_ID']
    }

    JWT.encode payload, ENV['SMOOCH_SECRET'], 'HS256', header_fields
end

And it seems to generate a JWT but It can be decoded w/out using the ENV['SMOOCH_SECRET']. Isn't that password supposed to be needed to decode it? That JWT is not being accepted by their API and I don't know if I'm misunderstanding them or you.

I'm very confused about it.

[excpt]

The password you provide for your token is only there to verify that the token you send to the server is valid. The payload and header are not encrypted. It's just a base64 encoded JSON string. The signature (it's the last part of the token) is encrypted and can only checked when you provide the correct password. When the password is not correct the verification process will fail. The ensures that the send token will be accepted or rejected by the 3rd party you send it to.

Payload encryption is possible with the JWE RFC. This allows you to encrypt your data with different methods like AES128 and such. But do not use this for your Smooch setup.

[unmultimedio]

Thank you @excpt for the explanation! I reached out to Smooch support and they showed me that in the header_fields I was using key instead of kid. Changed that hash key and it worked perfectly with the same code above.

[excpt]

Great! 👍