search

AnthonyDeroche / mod_authnz_jwt

An authentication module for Apache httpd using JSON Web Tokens
Other
79 stars 46 forks source link

PassPhrase #8

Closed alborq closed 7 years ago

alborq commented 7 years ago

Hi I try to use your extension for Single auth My app actually create token Like that : 

{
  "alg": "RS256"
}{
  "username": "alborq",
  "exp": 1488785031,
  "iat": 1488781431
}

i hope it's ok, but my problem is somewhere else. I generate Key like that : 

$ openssl genrsa -out var/jwt/private.pem -aes256 4096
$ openssl rsa -pubout -in var/jwt/private.pem -out var/jwt/public.pem

Add i add key pass phrase

I try to configure my Vhost like that : 

        AuthJWTSignatureAlgorithm RS256
        AuthJWTSignaturePublicKeyFile var/jwt/public.pem  # Path is Ok, i just trucate it
        AuthJWTSignaturePrivateKeyFile var/jwt/private.pem # Path is Ok, i just trucate it

        <Location />
                AuthType jwt
                AuthName "private area"
                Require valid-user
        </Location>

But how can i pass my key pass phrase for .pem ?

Thanks for reply ! Alborq.

alborq commented 7 years ago

It's may a brain lock problem... It's work without... I thinks i dont understand something...

AnthonyDeroche commented 7 years ago

Yes your key must not be protected by passphrase.

alborq commented 7 years ago

It's strange my key is protected by passphrase but your extension work. It allow connect. I dont understand how without.

AnthonyDeroche commented 7 years ago

If you try to authenticate a JWT emitted by a third party, then you only need the public key. The private key is used to sign tokens. If your private key is passphrase protected, then the module won't be able to emit tokens, but it can still verify tokens already signed.