JWT signature verification failed

Hi all I am using ACSB 2.2.3 about 2 weeks ago I start facing this error : .a.AbstractConnectAuthenticationProvider : JWT signature verification failed “jwt-value”

I use https://jwt.io the JWT signature is
HMACSHA256(
base64UrlEncode(header) + “.” +
base64UrlEncode(payload),
)

Header
{
“typ”: “JWT”,
“alg”: “HS256”
}

when I ask the client to uninstall and reinstall the addon all works fine, any help please?

Hi @HusseinFares,

Did this start around 8th March? We had an issue with the secret where we changed from a per-app secret to per-install secret. However, ACSB stores the secret per install, and so shouldn’t have had a problem.

You can see the discussion about the change here Moving away from per-installation shared secrets for apps.

Regards,
James.

Hi @jrichards, yes right it starts around the 8th of March, always I ask clients to reinstall the addon and the issue is resolved.

Hi @HusseinFares,

Then yes, I’d say the issue is related to the linked post. It’s likely your app didn’t handle the /install webhook when the new payload came for already installed apps, which contained the new secret.

Regards,
James.

Hi @jrichards, I am using ACSB

@EventListener
	public void processAddonInstalledEvent(AddonInstalledEvent event) {
	AtlassianHost host = event.getHost();

I am not handling installation by mapping the “/install” endpoint.

do I need to handle /install payload and update Atlassian_Host database table with the new payLoad data ?

Best Regards

Hi @HusseinFares,

Atlassian Connect Spring Boot handles the install and the database table for you. Usually it’s pretty resilient to the install endpoint. Not sure what happened here. I’ll have a look and check with the team.

James.

Hi @jrichards ,

as the post mention
When this initial stage of the migration is complete, all shared secrets in your database will be the same – and then we’ll follow up with details on the next phase of the migration.

I checked my addon database and I found that the shared secret is not the same for all clients.

I am using ACSB 2.2.3 version.

Caused by: com.atlassian.connect.spring.internal.jwt.JwtSignatureMismatchException: JWT signature verification failed

Hi @HusseinFares,

As we’ve been discussing in your DEVHELP ticket, we think that your /install webhook did’t respond in time to the payload updates we sent around the 8th March.

Uninstall and re-installing the app will fix this issue for each customer.

Regards,
James.