Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT Invalid #56

Closed
marsouin opened this issue Sep 26, 2017 · 11 comments
Closed

JWT Invalid #56

marsouin opened this issue Sep 26, 2017 · 11 comments

Comments

@marsouin
Copy link

Hi, I have a JWT and JWK issued by Auth0 that get a systematic JWSError JWSInvalidSignature on validation.

Here's a sample JWT
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlJEWTVSVEpFTVRReFF6WTBPVFkzT0VORk1UUXpPVEU1UXpORFFVSTBNVVl4UkRnMU5VUXdSUSJ9.eyJpc3MiOiJodHRwczovL2xvYmJ5Y2l0b3llbi5ldS5hdXRoMC5jb20vIiwic3ViIjoibFptdTQzdDJXQjBrWm1sQzV3ZmxoTVVQOFY3bzlNemRAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vd3d3LmxvYmJ5LWNpdG95ZW4tYXBpLWF1dGguZnIvIiwiZXhwIjoxNTA2NDk5ODExLCJpYXQiOjE1MDY0MTM0MTEsInNjb3BlIjoiIn0.NxFEQy_vhFR_zjkNqq8wkCmdhs8sdyiB4SNuh3sKDwgGZpxQAq5CsqYzmkLl5A9nF1wRp0lwyYVncx3_ctaILJ92cpoM2478CNzDPzCKTydUzABgwK6Jo9L-R8A2FGjPRtMeMxpkhTTlclEo6ERIXocVQa6-Oeji42nwmQEjJkkdX4iTBl0DgsqrfrfPPxa1XtvF5MyjT6U8XlV_65C1zXcayhA2nhykIhbw5atht_yUkrhdbYEihZblaUTy7cfmEYpqeNTJxLRyQ30wPvccXi2bQgq7Sq7VIFP_S-dHERk6LXTbase0bu7QR_XA5w6lyOs7oXVbF5Jr8adrMh2R6g

and here's the JWK

{"alg":"RS256","kty":"RSA","use":"sig","x5c":["MIIDDTCCAfWgAwIBAgIJTegPuD4Mvm6sMA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNVBAMTGWxvYmJ5Y2l0b3llbi5ldS5hdXRoMC5jb20wHhcNMTcwODAyMTQ1MjM2WhcNMzEwNDExMTQ1MjM2WjAkMSIwIAYDVQQDExlsb2JieWNpdG95ZW4uZXUuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvVzlh+IW4I95QelKKZyDjbVv0tLBvEo/jE9ndTCigjPHrtHzjAg+aB+u/KBYkF9CxT8nRWutm9GB9tXvg7z7n4U2fd4qZGLH6xFmIzqAJKwe7Z3l2fSqI1jJw4KLfYfGvAqP9qrETb8cH7jpEoI9nXp7a0GQ/BftQUk0qmczN9yLp+k0UGXtUNrJXJ7hWjpVcG7wRGHDZ9plbQZ9WmMJUFlPIn7Yvar1GhZNozz+37pD3a/DkE+uIQ1zhgMRcZhl6Sb3zjKn7l7XrMjuZJ7afSNHaXicrIhHS2/J3FtmDlR4/cha4H/jBVKzlUd+zB+pFMoOd1hnxE773b8ZVQ9dcwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSzoceBhNJklZTlVIox/Kpq1cWUszAOBgNVHQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADggEBAKFgVJ/SAcp32TsW/RlhjRBcSZ3cQKGjpMGs2FMm4dvZocPSIezK8KQt9Vq6K+H6/gePmTa9/z1wQTWsRSI+a6/RJ8rXbLiHovuFC5ilpcDGrBJj2KDkSYPfc0E9B0eXeeZSe7TVY6gbOKvut3mVESuZP/+r36ieyIiIVWIkoZrOULniCUxClFRRNYfl9AnvC18buxK69MjNNUYtvmL1hE9CWyptBM1Pjlo1e4qMMusn9Jm2EHNf9j0e0b1gaV4z4OL+uOE756P9ef8XxLbE5cuqt3fDXi9qFLvTy0wlFaZB1P39rt6JkWTiilB4dT06JxursJTEY0fKtWimKbhQd3Y="],"n":"vVzlh-IW4I95QelKKZyDjbVv0tLBvEo_jE9ndTCigjPHrtHzjAg-aB-u_KBYkF9CxT8nRWutm9GB9tXvg7z7n4U2fd4qZGLH6xFmIzqAJKwe7Z3l2fSqI1jJw4KLfYfGvAqP9qrETb8cH7jpEoI9nXp7a0GQ_BftQUk0qmczN9yLp-k0UGXtUNrJXJ7hWjpVcG7wRGHDZ9plbQZ9WmMJUFlPIn7Yvar1GhZNozz-37pD3a_DkE-uIQ1zhgMRcZhl6Sb3zjKn7l7XrMjuZJ7afSNHaXicrIhHS2_J3FtmDlR4_cha4H_jBVKzlUd-zB-pFMoOd1hnxE773b8ZVQ9dcw","e":"AQAB","kid":"RDY5RTJEMTQxQzY0OTY3OENFMTQzOTE5QzNDQUI0MUYxRDg1NUQwRQ","x5t":"RDY5RTJEMTQxQzY0OTY3OENFMTQzOTE5QzNDQUI0MUYxRDg1NUQwRQ"}

I can't seem to find the issue as it validates well on jwt.io...

Thanks a lot for your help!
@frasertweedale
Copy link
Owner

Hello. This appears to be same issue as #54.
At least, the JWK has that problem.

So I can confirm could you please supply a minimal program to reproduce this issue?

@marsouin
Copy link
Author

Thanks a lot for your answer, doesn't look good 😢
You can try a simple GET request on http://139.59.161.10:3000/deputes (we're using Postgrest). I'm chatting with them about the same issue and they're the ones who recommended I post here ;)

@frasertweedale
Copy link
Owner

@marsouin the thing is, I can't quite work out why it's failing with JWSInvalidSignature. If you are
trying to use that JWK to validate the JWT, I would think it would fail during JWK parsing.

Like I said, can you give me a minimal program that demonstrates how you are attempting to validate the JWT?

Here is another suggestion in relation to the x5t parameter: the JWK itself is not signed - you could modify the x5t before parsing the JWK, i.e. you would base64url-decode, hex-decode, then base64url-encode the parameter value, in order to get the JWK in an RFC-compliant form that hs-jose will accept.

@marsouin
Copy link
Author

@frasertweedale right, sorry, I'm terrible at Haskell is the thing. I'm going to try your suggestion and or find someone here who could help me write a minimal program.
Keep you posted within the day ;)

@frasertweedale
Copy link
Owner

@marsouin cheers (FYI I am in UTC+10).

BTW, you are not terrible at Haskell, you are a new learner :) Enjoy the ride.

@marsouin
Copy link
Author

@frasertweedale oh well, that might be tomorrow for you then haha.
True that ;) I will!

@marsouin
Copy link
Author

I've just gotten rid of the x5t & x5c parameters and got the next error, which is JWTNotInAudience. But I guess that's more of a postgrest issue ;)

@frasertweedale
Copy link
Owner

@marsouin you have to set the audience predicate in the JWT validation settings to test
whether the audience claim (if present) is acceptable.

See the doJwtVerify example at http://hackage.haskell.org/package/jose-0.6.0.3/docs/Crypto-JWT.html, specifically:

  let config = defaultJWTValidationSettings (== "bob")

If you don't care at all you can just set the predicate to (const True).

@frasertweedale
Copy link
Owner

@marsouin what is the outcome? Shall I close this issue?

@marsouin
Copy link
Author

marsouin commented Oct 5, 2017

I ended up verifying the audience perfectly, you can close this!

@frasertweedale
Copy link
Owner

Glad to hear. Thanks!

@photz photz mentioned this issue Jun 14, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frasertweedale @marsouin