Question: Auth0 with caddy-jwt

[gregpalaci]

Hi I'm a bit new to jwt, I'm trying to use Auth0 with this:

I've set an enviroment variable for the secret on my machine to the same secret on Auth0.

I've tried 'name' and 'screenname' from Auth0 token in the Caddyfile configuration to no avail.

I realise Auth0 is not specific to this library but figured it should conform and be usable?

I'm testing with the ?token=xx I get the 401 Unauthorized so I know the caddy plugin is working.

[BTBurke]

I haven't used Auth0 but it should work. Can you create a test token and post it with your Caddyfile config? On Saturday, May 20, 2017 at 6:56 PM Greg B notifications@github.com wrote:

Hi I'm a bit new to jwt, I'm trying to use Auth0 with this:

I've set an enviroment variable for the secret on my machine to the same secret on Auth0.

I've tried 'name' and 'screenname' from Auth0 token in the Caddyfile configuration to no avail.

I realise Auth0 is not specific to this library but figured it should conform and be usable?

I'm testing with the ?token=xx I get the 401 Unauthorized so I know the caddy plugin is working.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[gregpalaci]

jwt { path /protected user twitter|18589938 }

If you navigate to https://fullstack-js.tech/test.html you can login with Auth0 and it saves a token in localStorage (application tab under chrome devtools)

I've tried user twitter, user 18589938 and more under the Caddyfile I've tried the secret in localStorage but also the secret one in Auth0

[gregpalaci]

I imagine 'twitter' is the group and | before id, I really just want to let anyone with a vaild JWT access to make a comment api, they just need to be logged in somehow. I've seen how to do this with Express, but it would be so elegant to just use Caddy without the extra overhead

[BTBurke]

User isn't a valid directive. If you want to allow a particular user you would use the allow directive.

allow user twitter|1235678

Take a look at the docs again for how this syntax works. If all you want is to allow any valid JWT, you don't need to put any allow or deny restrictions. As long as the JWT validates using your secret, any user will be allowed through. The allow and deny syntax is used to further restrict access for an otherwise valid token.

On Saturday, May 20, 2017 at 7:26 PM Greg B notifications@github.com wrote:

I imagine 'twitter' is the group and | before id, I really just want to let anyone with a vaild JWT access to make a comment api, they just need to be logged in somehow. I've seen how to do this with Express, but it would be so elegant to just use Caddy without the extra overhead

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[gregpalaci]

I just have jwt { path /protected } now and a new token from Auth0 https://fullstack-js.tech/protected?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiR3JlZ29yeSDwn4ya8J-MniIsInBpY3R1cmUiOiJodHRwczovL3Bicy50d2ltZy5jb20vcHJvZmlsZV9pbWFnZXMvNzMyMzY3MDQ5NjAzNzE5MTY4LzFsQnFpYVYtX25vcm1hbC5qcGciLCJkZXNjcmlwdGlvbiI6IkkgcnVuIHRoZSBAZnVsbHN0YWNrX2pzIExvbmRvbi9CZXJsaW4gbWVldHVwLiBEb24ndCBiZWxpZXZlIHdoYXQgdGhleSBzYXkgSSBhbSBhIHRob3JvdWdoIERhY2hzaHVuZCBlbnRodXNpYXN0XG5odHRwczovL3QuY28vM3JVUUc2MTg1RSIsImxhbmciOiJlbiIsImxvY2F0aW9uIjoiRWFydGgiLCJzY3JlZW5fbmFtZSI6ImNhY3R1c2FuZGRvdmUiLCJ0aW1lX3pvbmUiOiJQcmV0b3JpYSIsInVybCI6Imh0dHBzOi8vdC5jby9mTGhUSW9hSDlFIiwidXRjX29mZnNldCI6NzIwMCwiY2xpZW50SUQiOiJ4RFhpUXJEQWVHd3VSSzJTRGQzS1R4bGNtTnpicHhWayIsInVwZGF0ZWRfYXQiOiIyMDE3LTA1LTIwVDIzOjQwOjI1Ljk0N1oiLCJ1c2VyX2lkIjoidHdpdHRlcnwxODU4OTkzOCIsIm5pY2tuYW1lIjoiR3JlZ29yeSDwn4ya8J-MniIsImlkZW50aXRpZXMiOlt7InByb3ZpZGVyIjoidHdpdHRlciIsInVzZXJfaWQiOiIxODU4OTkzOCIsImNvbm5lY3Rpb24iOiJ0d2l0dGVyIiwiaXNTb2NpYWwiOnRydWV9XSwiY3JlYXRlZF9hdCI6IjIwMTYtMDgtMjBUMTM6MjM6MTIuMDQ2WiIsImlzcyI6Imh0dHBzOi8vY2FjdHVzYW5kZG92ZS5ldS5hdXRoMC5jb20vIiwic3ViIjoidHdpdHRlcnwxODU4OTkzOCIsImF1ZCI6InhEWGlRckRBZUd3dVJLMlNEZDNLVHhsY21OemJweFZrIiwiZXhwIjoxNDk1MzU5NjI1LCJpYXQiOjE0OTUzMjM2MjV9.nSDmzdkBLl0VkRwl42Vn3dhPwERk2M5ZUFTuBphZCLw

[gregpalaci]

Maybe it is more of an Auth0 side question though, I'll close this one.

[gregpalaci]

Might be really useful if you get a chance to provide a way to create the client side jwt token as an example. I'm more versed on the front-end and Caddy seems like the perfect companion. I understand the basics of JWT but I'm not very good myself. I feel like this library might be super easy to use, I'm just missing a step or something.

[BTBurke]

Paste your token into jwt.io and check out the claims that are listed. The token looks fine. Type in your secret and make sure that the token is valid. I think you have a problem with setting the correct secret in the environment variable JWT_SECRET. On Saturday, May 20, 2017 at 7:52 PM Greg B notifications@github.com wrote:

Might be really useful if you get a chance to provide a way to create the client side jwt token as an example. I'm more versed on the front-end and Caddy seems like the perfect companion. I understand the basics of JWT but I'm not very good myself. I feel like this library might be super easy to use, I'm just missing a step or something.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[gregpalaci]

Thanks so much for the help. I figured it out, Auth0 was base64'ing the CLIENT_SECRET once I decoded it, everything works great now!! jwt.io is really handy too.

[BTBurke]

Awesome. Good tip. I'll add a note to the docs about the encoding of the secret so it doesn't trip up other people. On Sunday, May 21, 2017 at 9:40 AM Greg B notifications@github.com wrote:

Thanks so much for the help. I figured it out, Auth0 was base64'ing the CLIENT_SECRET once I decoded it, everything works great now!! jwt.io is really handy too.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[Fohlen]

Hello. For anybody struggling with Auth0 there is indeed documentation on how caddy-jwt works. First, you need to add your API in the Auth0 dashboard (you probably did that already).

On the "Quickstart" page you will find your jwksUri like so

        jwksUri: "https://yourapi.auth0.com/.well-known/jwks.json"

This is further explained in their documentation.

You can then navigate the jwks. See this article for what it means.

After that you will need to extract the PEM from the jwks

-----BEGIN PUBLIC KEY-----
YOUR_X5C
-----END PUBLIC KEY-----

Last but not least you will want to use e.g the publickey directive like so, or optionally the environment variable.

publickey /path/to/your/jwks/x5c.pem

This will enable verification via Caddy. Hope it helps!