JWT signed with H256 results in a 401

[rochdev]

I cannot get the http.jwt plugin to work with a JWT signed with H256. It always results in a 401 error.

What I've tried:

• Setting the secret in the JWT_SECRET environment variable.
• Setting the secret as the value of the secret option.
• Setting the secret in a file at /etc/secrets/app.txt and adding the path as the value of the secret option. I have validated that there is no newline at the end of the file with cat -vet /etc/secrets/app.txt.
• Temporarily set the chmod of the secret file to 777.
• Validated the signature in code using the Node library jsonwebtoken and it's valid.
• Validated that the cookie is sent with the request.

My configuration:

<public_domain> {
  import ssl

  proxy / http://<internal_address>

  jwt {
    path /
    except /favicon.ico

    allow group Admin

    token_source cookie organizr_token_<uuid>
    secret /etc/secrets/app.txt
  }
}

At this point I really don't know what else to try. It seems that no matter what I do the request is rejected with a 401. Interestingly enough, the plugin seems to work if I pair it with the http.login plugin and Google OAuth, but not with a JWT alone.

[BTBurke]

It's hard to diagnose without having access to the token and key, but off the top of my head try a couple things:

• Check how you are generating your secret - could be an encoding issue that doesn't play well with setting it as an environment variable or loading it from a file
• Remove the allow group Admin and see if it's a claim problem or a signature problem
• Try a manual curl setting your token in the Authorization header instead of a custom cookie source

Hopefully that should narrow down the source of the problem.

[rochdev]

This was caused by my Caddy image being too old and not having the token_source option. Updating the plugin solved the issue.

[BTBurke]

Great, hope it works out for you.