Verify detached JWS

[RenautMestdagh]

I have a JWT without a payload. I want to verify it by using JWKS.
I searched a lot but was unable to get it to work. What am I doing wrong?
I tried this suggestion but it didn't work.
I get JWSSignatureVerificationFailed: signature verification failed.
The jwt I'm using is a recent one I got from a callback from the payment service i'm using. I temporarely hardcoded it because it's easier for debugging.

const jwt = "eyJ0eXAiOiJKT1NFK0pTT04iLCJraWQiOiJlcy5zaWduYXR1cmUucGF5Y29uaXEuY29tLjIwMjMiLCJhbGciOiJFUzI1NiIsImh0dHBzOi8vcGF5Y29uaXEuY29tL2lhdCI6IjIwMjMtMDYtMjZUMDI6NDk6NTEuNDU5MTc5WiIsImh0dHBzOi8vcGF5Y29uaXEuY29tL2p0aSI6IjgxZjJlNGQ3OTFiYWYwODYiLCJodHRwczovL3BheWNvbmlxLmNvbS9wYXRoIjoiaHR0cHM6Ly9taW5pdm9ldGJhbC5zY291dHN3YXJlZ2VtLmJlL2NhbGxiYWNrIiwiaHR0cHM6Ly9wYXljb25pcS5jb20vaXNzIjoiUGF5Y29uaXEiLCJodHRwczovL3BheWNvbmlxLmNvbS9zdWIiOiI2Mzk4NDRmMThlZmQxYTIzODg5ZDhhMzAiLCJjcml0IjpbImh0dHBzOi8vcGF5Y29uaXEuY29tL2lhdCIsImh0dHBzOi8vcGF5Y29uaXEuY29tL2p0aSIsImh0dHBzOi8vcGF5Y29uaXEuY29tL3BhdGgiLCJodHRwczovL3BheWNvbmlxLmNvbS9pc3MiLCJodHRwczovL3BheWNvbmlxLmNvbS9zdWIiXX0..ezk94vlx13_w2wCO9tvmlLIS9o48-gqkQftOylSKYdXmAgEluFy3rOUkr81HaVzMrFqDd02_qHv_jNhjRrBtYw"

const options = {
    crit: {"https://payconiq.com/sub":true, "https://payconiq.com/iss":true, "https://payconiq.com/iat":true, "https://payconiq.com/jti":true, "https://payconiq.com/path":true}
  }
  const JWKS =jose.createRemoteJWKSet(new URL('https://payconiq.com/certificates'))
  const { payload, protectedHeader } = await jose
      .jwtVerify(jwt, JWKS, options)
      .catch(async (error) => {
        if (error?.code === 'ERR_JWKS_MULTIPLE_MATCHING_KEYS') {
          for await (const publicKey of error) {
            try {
              return await jose.jwtVerify(jwt, publicKey, options)
            } catch (innerError) {
              if (innerError?.code === 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED') {
                continue
              }
              throw innerError
            }
          }
          throw new jose.errors.JWSSignatureVerificationFailed()
        }
        throw error
      })
  console.log(protectedHeader)
  console.log(payload)

[panva]

You need to re-attach the payload for verification since the payload is part of the signing input and is only removed for transport.

[RenautMestdagh]

What payload should I re-attach? I already tried with random strings but that doesn't work.
I'm using Payconiq and they are sending me this JWT. I don't have any control on the creation
This is documentation from the sending part.
Excuse me if I'm asking stupid questions. I'm kinda new to JWT :)

[panva]

Then please check with Payconiq on what the payload they're signing and detaching is. I cannot possibly know...

[RenautMestdagh]

They were using btoa( JSON.stringify( paymentInfo )) as payload. Thanks for making things clear!

[panva]

btoa no, they weren't. btoa is not base64url and so will intermittenly fail on you. Use jose.base64url.encode(JSON.stringify(paymentInfo)) instead.