How can I check validity of the JWT token?

[hauleth]

From documentation I see that io.jwt.decode accepts only 1 argument however JWT documentation also requires "secret key" required for validation. Is there any way to check if given JWT is valid one or OPA will happily accept everything as valid?

[tsandall]

The existing io.jwt.decode built-in does not verify the signature cryptographically. Doing so would require having the secret key in OPA which raises security questions.

If offloading signature verification would be helpful, we can add a built-in to do this but it would be on the deployment to ensure that the key doesn't get leaked, gets rotated, etc.

[hauleth]

@tsandall it would be great when combined with #416 Vault integration.

I have also mentioned that project as an idea for Hashicorp's Nomad policy management.

[hauleth]

@tsandall also if there would be access to environment variables in OPA policy description then this could be place for storing secret key. Because without verification JWT functionality is quite useless as anyone can now check for everything they want.

[tsandall]

Adding support to access environment vars sounds like a good start.

I'll create two feature issues to track this:

1. Add support for accessing environment vars in policy under a new root
2. Add support for cryptographically verifying JWT signatures

@hauleth Do you know which signature scheme would be most useful to support first?

[hauleth]

@tsandall I think that HS* family is most popular one, however there are ready to use libraries that allow verification (list on https://jwt.io) and this seems promising https://github.com/dgrijalva/jwt-go

But remember to https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

[tsandall]

@hauleth thanks for reaching out. I've created two separate issues to track the improvements required. If you think this should be re-opened for some reason, go ahed and do so or just comment. Thanks!