search

AnthonyDeroche / mod_authnz_jwt

An authentication module for Apache httpd using JSON Web Tokens
Other
79 stars 46 forks source link

Erreneously complains: Decoding process has failed, token is either malformed or signature is invalid #61

Closed rkc7h closed 2 years ago

rkc7h commented 3 years ago

The module is installed on apache2 cantos and following the configuration being used

RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set X-Remote-User "%{RU}e" env=RU

  AuthJWTSignatureSharedSecret "BASE 64 encoded secret"
  AuthJWTSignatureAlgorithm HS256
  AuthJWTIss <set to servername of this config file>
  AuthJWTAttributeUsername user
  <Location />
    AllowOverride None
    AuthType jwt-bearer
    AuthName "private area"
    Require valid-user
  </Location>

The token being generated elsewhere in a python 

         iat = datetime.datetime.utcnow()
        exp = iat + datetime.timedelta(hours=8, minutes=0, seconds=0)
        payload = {'exp': exp, 'iat': iat,
                   'sub': user, 'user': user['username']}
        return jwt.encode(
            payload, 'same base 64 encoded SECRET_KEY', algorithm='HS256')

We have only setup mod_authnz_jwt to verify the token. Currently the module is detecting the presence of header token and also us using secret key setup to decode but keeps complaining with following logs

[Thu Jun 17 17:20:53.823078 2021] [auth_jwt:error] AH55512: Decoding process has failed, token is either malformed or signature is invalid

But decoding succeed without issue when tried through following python code without issue

try:
    payload = jwt.decode(
        auth_token, 'same base 64 encoded SECRET_KEY', algorithms='HS256')
    return payload['user']
except jwt.ExpiredSignatureError:
    raise RestException(RestException.TOKEN_EXPIRED)
except jwt.InvalidTokenError:
    raise RestException(RestException.TOKEN_INVALID)

Can you please as something seems to be broken at decoding process or library being used to decode in mod_authnz_jwt? Its seems to be almost there. Please help with our setup?

rkc7h commented 3 years ago

Please ignore this request the decoding is working fine now but is complaining

[Thu Jun 17 19:04:40.103854 2021] [authz_core:error] AH01629: authorization failure (no authenticated user): /

Any ideas or suggestion on how to resolve this? We token is bearer token we want the module to look for authenticated user at this point

rkc7h commented 3 years ago

Never mind I think I can use the Require jwt-claim instead of Require valid-user to go past this issue. Only advise I have is try adding more documentation surrounding the valid-user, claim with more examples and also try printing more appropriate errors like where decoding went wrong if possible :). Other than that this module looks nice and solid and does what it is built for. I had some trouble building for centos but looking stack trace and setting right path as applicable enabled me to build and load the module. I wish it had better ways to seamlessly build it.