Closed nedngotass closed 10 months ago
Hi! Your key needs to be in binhex format, and should be 64 characters in total. Try to generate a random key like this:
openssl rand -hex 32
More info from the README:
The default algorithm is
HS256
, for symmetric key validation. When using one of theHS*
algorithms, the value forauth_jwt_key
should be specified in binhex format. It is recommended to use at least 256 bits of data (32 pairs of hex characters or 64 characters in total). Note that using more than 512 bits will not increase the security.
hi @JoshMcCullough I'm facing the same issue and I have a newbie doubt. If I generate the key with
openssl rand -hex 32
Then I need to use the same key when creating the JWT, right? Thanks
Yes, the JWT needs to be signed with the same key that you put in the NGINX config. The whole point is so that this module can verify the JWT is signed, otherwise anyone could supply any JWT they wish.
Thanks @JoshMcCullough
The issue is that I'm doing the signature with the same key but still getting the error failed to parse JWT
.
My current config
server {
listen 80;
auth_jwt_key 6f75725365637265744b6579;
auth_jwt_enabled on;
auth_jwt_location HEADER=Authorization;
.....
}
My request
curl -X 'GET' 'http://localhost/' \
-H 'accept: application/json' \
-H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6InVzZXIiLCJleHAiOjE2OTI5ODY2NTF9.fADbxfac00A5aQe1YOaQvS4J9pzFPmXKzPEGAC7qEo4'
Can the module emit more verbose logs? Thanks for your help
I found the issue. I was providing a small bit of data to encode the key in the binhex format. Thanks for your help.
Can you elaborate on what you were doing wrong / what the fix was? I was looking into this and would like to know the cause. Thanks!
Thanks @JoshMcCullough
i tried generate the key with
openssl rand -hex 32
But i still get the error failed to parse JWT
My config:
auth_jwt_enabled on;
auth_jwt_key "3c8f23cbe4f596a20c42c8d536874dac917a4a383449649bce2b59ad816592b5";
auth_jwt_location HEADER=Authorization;
auth_jwt_algorithm HS256;
My Request:
curl --location 'http://localhost/' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTU3ODU3NDAsImlhdCI6MTY5MzE5Mzc0MCwic3ViIjoidXNlcjEyMyJ9.AC3bd-7_P8RyVOpp_jsYbCHCJD23SGYdImLiY9NjnpA'
Hopefully @fullonic can reply back with their solution.
Hi @nedngotass. You just need to encode your current key to binhex format.
So, your key (3c8f23cbe4f596a20c42c8d536874dac917a4a383449649bce2b59ad816592b5
) in binhex format:
33633866323363626534663539366132306334326338643533363837346461633931376134613338333434393634396263653262353961643831363539326235
Your config updated
auth_jwt_enabled on;
auth_jwt_key 33633866323363626534663539366132306334326338643533363837346461633931376134613338333434393634396263653262353961643831363539326235;
auth_jwt_location HEADER=Authorization;
auth_jwt_algorithm HS256;
It should work now :smile: As far as how I am using it, you don't need to quote the JWT key.
I used this tool to encode it http://bin-hex-converter.online-domain-tools.com/
Can you elaborate on what you were doing wrong / what the fix was? I was looking into this and would like to know the cause. Thanks!
Hi @JoshMcCullough! I missed your question.
So, I tried first to use the key mySecretKey
. I encoded it to binhex and didn't work. Then, I generated a longer key using the command openssl rand -hex 32
and encoded the output to binhex. Using this longer key worked!
Does it make sense?
Yes, thank you!
Hi @nedngotass. You just need to encode your current key to binhex format.
So, your key (
3c8f23cbe4f596a20c42c8d536874dac917a4a383449649bce2b59ad816592b5
) in binhex format:33633866323363626534663539366132306334326338643533363837346461633931376134613338333434393634396263653262353961643831363539326235
Your config updated
auth_jwt_enabled on; auth_jwt_key 33633866323363626534663539366132306334326338643533363837346461633931376134613338333434393634396263653262353961643831363539326235; auth_jwt_location HEADER=Authorization; auth_jwt_algorithm HS256;
It should work now 😄 As far as how I am using it, you don't need to quote the JWT key.
I used this tool to encode it http://bin-hex-converter.online-domain-tools.com/
Thanks @fullonic
@fullonic / @nedngotass, I'll update the README with this recommendation:
To generate a 256-bit key (32 pairs of hex characters; 64 characters in total):
secret=$(openssl rand 32 | base64 | head -c 32)
binhex_secret=$(echo -n "${secret}" | xxd -p | paste -sd '')
echo "Secret: ${secret}"
echo "Binhex Secret: ${hex_secret}"
Hi, I am trying to implement HS256 based validation. But Iam getting 401 and
2023/08/25 09:55:20 [error] 775164#0: *42394 failed to parse JWT, client:
My conf nginx:
My Key:
javainuse-secret-key
My token:
eyJhbGciOiJIUzI1NiJ9.eyJSb2xlIjoiQWRtaW4iLCJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkphdmFJblVzZSIsImV4cCI6MTY5NTYzNTg4OCwiaWF0IjoxNjkyOTU3NDg4fQ.RmR0x_55stlEx7s_brbihZZ4f6_hblKQS2ej6ORcjqM
Any help would be really appreciated.