Closed gaeldb closed 6 years ago
Can you provide your public key?
We use a shared secret key : test
Apache conf is :
AuthJWTSignatureAlgorithm HS256 AuthJWTSignatureSharedSecret dGVzdA== AuthJWTIss testdomain.com
Sorry, I missed that this was HS256. I'll try to debug in the next couple of days.
Hello,
I'm working with gaeldb on the same subject and we still have the same issue. After some researches we found that the function "token_decode" returns the errno 22. The server receives correctly the token (we display it in the stderr) The server also correctly decode the key (also displayed by us in the stderr)
I haven’t been able to reproduce this. I tried it with a basic config, similar to the test suite on this project, and it consistently works. Can you provide more info? Specifically, have you tried it with an extremely simple config and very bare Apache setup (i.e. no unnecessary modules enabled)? If you have a basic config that is failing that you’d be willing to share or info regarding other dependencies such as libssl version I will take another look.
I'm hitting the same issue, using a Docker image based on Ubuntu 16.04 and with libssl version 1.0.2g-1ubuntu4.12. I've been trying to reproduce the issue with a minimum Dockerfile and httpd.conf, but annoyingly I haven't been able to do so.
I've dug into it a bit, and it looks like the key length is being mis-computed, because apr_base64_decode_len returns an upper bound. As long as the extra bytes were zero the verification would work (I assume because HMAC does some zero padding of its own), but if the extra bytes happened to have uninitialised data it would fail.
Thanks for the fix
Thanks all
Hi,
I have an issue with mod_authnz_jwt. When using a JWT to authenticate, mod_authnz_jwt randomly answers :
for any apparent reason.
The JWT we are using for test :
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ0ZXN0ZG9tYWluLmNvbSIsImlhdCI6MTUyMTY1NDgwMSwiZXhwIjoxNTUzMTkwODEwLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJ0ZXN0QGV4YW1wbGUuY29tIiwidXNlciI6ImFkbWluIn0.g6lHZQbv7H9dD3CXZpw3zZ7zfO4bTuGs3BI6mWndAeE
Secret istest
Sended to our test server with this curl command :
curl -X GET -k -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ0ZXN0ZG9tYWluLmNvbSIsImlhdCI6MTUyMTY1NDgwMSwiZXhwIjoxNTUzMTkwODEwLCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJ0ZXN0QGV4YW1wbGUuY29tIiwidXNlciI6ImFkbWluIn0.g6lHZQbv7H9dD3CXZpw3zZ7zfO4bTuGs3BI6mWndAeE' -i 'https://testdomain.com'
We sometimes receive 200 OK answer Apache logs :
And sometimes 401 Unauthorized a few seconds later Apache logs :
Token and request method are strictly the same. Do you have any idea why the token is sometimes decoded and sometimes rejected as invalid/malformed ?
Thanks