I’m developing an API endpoint to receive requests from a Pipedrive JSON Panel. For now I have it set up with a user and password for basic authorization, which I have working. I also set a “JWT Secret” which (as far as I can tell) is used to generate the signature for a JWT token that gets sent by Pipedrive.
On my endpoint, besides verifying the incoming user/password, I wanted to try validating the JWT token, to make sure it was signed with my secret key.
In my case I’m developing in .Net Core (C#). I’ve tried various strategies and libraries to validate the JWT token from Pipedrive. I can’t find much detail about the JWT token itself in the docs… all they typically say is to reference the website https://jwt.io/ So I even tried using the .Net library recommended on that website, however I still continue to get the same error:
IDX10503: Signature validation failed. Token does not have a kid.
Does anyone have sample code for validating the token sent from Pipedrive? Am I missing something? I haven’t worked much with JWTs before… Should I be able to take a token generated by Pipedrive and verify that it was signed with my secret key?
You should be able to verify JWT token. Here you can try to create jwt token, then you should be able to decode and verify token by using a secret: JWT Decoder | Ping Identity Developer Portal
My assumption is that you might use different algorithm to verify token. By default should be used HS256. I see that in some NET libraries in the example is used different algorithm, like RS256.
@BBrandtPLX , unfortunately, there is a bug with JSON panels. Even if JWT secret was provided we still were using client secret to sign the token. So you should be able to verify it by using client secret at the moment. But we will fix it asap. Thank you for pointing this problem out. Once the fix is ready, I will notice you.
Excellent, Thank you @dmitriyeff ! I’ve tested it out and I can successfully validate the token from Pipedrive. Nice work and thanks for jumping on that so quickly.
Hey @dmitriyeff , I’ve moved forward to work with a “Link Action” on my JSON Panel extension, and I think the same issue exists on calls made by link actions. I specified a JWT Secret for the link action. When Pipedrive called my endpoint, I captured the JWT token, and it did not validate with my secret key.
I took the token over to https://jwt.io/ and I was able to verify that it was signed with the OAuth Client Secret instead. Can you investigate? I can of course use the client secret, but this appears to be a similar bug to what you found with the JSON Panel requests.
