search

TeslaGov / ngx-http-auth-jwt-module

Secure your NGINX locations with JWT
MIT License
308 stars 118 forks source link

failed to parse JWT #109

Closed nedngotass closed 10 months ago

nedngotass commented 10 months ago

Hi, I am trying to implement HS256 based validation. But Iam getting 401 and

2023/08/25 09:55:20 [error] 775164#0: *42394 failed to parse JWT, client:

My conf nginx:

auth_jwt_enabled on;
auth_jwt_key "6a617661696e7573652d7365637265742d6b6579";
auth_jwt_algorithm HS256;

My Key: javainuse-secret-key

My token: eyJhbGciOiJIUzI1NiJ9.eyJSb2xlIjoiQWRtaW4iLCJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkphdmFJblVzZSIsImV4cCI6MTY5NTYzNTg4OCwiaWF0IjoxNjkyOTU3NDg4fQ.RmR0x_55stlEx7s_brbihZZ4f6_hblKQS2ej6ORcjqM

Any help would be really appreciated.

JoshMcCullough commented 10 months ago

Hi! Your key needs to be in binhex format, and should be 64 characters in total. Try to generate a random key like this:

openssl rand -hex 32

More info from the README:

The default algorithm is HS256, for symmetric key validation. When using one of the HS* algorithms, the value for auth_jwt_key should be specified in binhex format. It is recommended to use at least 256 bits of data (32 pairs of hex characters or 64 characters in total). Note that using more than 512 bits will not increase the security.

fullonic commented 10 months ago

hi @JoshMcCullough I'm facing the same issue and I have a newbie doubt. If I generate the key with 

openssl rand -hex 32

Then I need to use the same key when creating the JWT, right? Thanks

JoshMcCullough commented 10 months ago

Yes, the JWT needs to be signed with the same key that you put in the NGINX config. The whole point is so that this module can verify the JWT is signed, otherwise anyone could supply any JWT they wish.

fullonic commented 10 months ago

Thanks @JoshMcCullough

The issue is that I'm doing the signature with the same key but still getting the error failed to parse JWT. My current config

server {
  listen 80;
  auth_jwt_key 6f75725365637265744b6579;
  auth_jwt_enabled on;
  auth_jwt_location HEADER=Authorization;

  .....
  }

My request

curl -X 'GET'  'http://localhost/'  \   
-H 'accept: application/json' \  
-H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6InVzZXIiLCJleHAiOjE2OTI5ODY2NTF9.fADbxfac00A5aQe1YOaQvS4J9pzFPmXKzPEGAC7qEo4'

Can the module emit more verbose logs? Thanks for your help

fullonic commented 10 months ago

I found the issue. I was providing a small bit of data to encode the key in the binhex format. Thanks for your help.

JoshMcCullough commented 10 months ago

Can you elaborate on what you were doing wrong / what the fix was? I was looking into this and would like to know the cause. Thanks!

nedngotass commented 10 months ago

Thanks @JoshMcCullough i tried generate the key with openssl rand -hex 32

But i still get the error failed to parse JWT

My config:

auth_jwt_enabled on;
auth_jwt_key "3c8f23cbe4f596a20c42c8d536874dac917a4a383449649bce2b59ad816592b5";
auth_jwt_location HEADER=Authorization;
auth_jwt_algorithm HS256;

My Request:

curl --location 'http://localhost/' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTU3ODU3NDAsImlhdCI6MTY5MzE5Mzc0MCwic3ViIjoidXNlcjEyMyJ9.AC3bd-7_P8RyVOpp_jsYbCHCJD23SGYdImLiY9NjnpA'
JoshMcCullough commented 10 months ago

Hopefully @fullonic can reply back with their solution.

fullonic commented 10 months ago

Hi @nedngotass. You just need to encode your current key to binhex format.

So, your key (3c8f23cbe4f596a20c42c8d536874dac917a4a383449649bce2b59ad816592b5 ) in binhex format: 33633866323363626534663539366132306334326338643533363837346461633931376134613338333434393634396263653262353961643831363539326235

Your config updated

auth_jwt_enabled on;
auth_jwt_key 33633866323363626534663539366132306334326338643533363837346461633931376134613338333434393634396263653262353961643831363539326235;
auth_jwt_location HEADER=Authorization;
auth_jwt_algorithm HS256;

It should work now :smile: As far as how I am using it, you don't need to quote the JWT key.

I used this tool to encode it http://bin-hex-converter.online-domain-tools.com/

fullonic commented 10 months ago

Can you elaborate on what you were doing wrong / what the fix was? I was looking into this and would like to know the cause. Thanks!

Hi @JoshMcCullough! I missed your question.

So, I tried first to use the key mySecretKey. I encoded it to binhex and didn't work. Then, I generated a longer key using the command openssl rand -hex 32 and encoded the output to binhex. Using this longer key worked! Does it make sense?

JoshMcCullough commented 10 months ago

Yes, thank you!

nedngotass commented 10 months ago

Hi @nedngotass. You just need to encode your current key to binhex format.

So, your key (3c8f23cbe4f596a20c42c8d536874dac917a4a383449649bce2b59ad816592b5 ) in binhex format: 33633866323363626534663539366132306334326338643533363837346461633931376134613338333434393634396263653262353961643831363539326235

Your config updated

auth_jwt_enabled on;
auth_jwt_key 33633866323363626534663539366132306334326338643533363837346461633931376134613338333434393634396263653262353961643831363539326235;
auth_jwt_location HEADER=Authorization;
auth_jwt_algorithm HS256;

It should work now 😄 As far as how I am using it, you don't need to quote the JWT key.

I used this tool to encode it http://bin-hex-converter.online-domain-tools.com/

Thanks @fullonic

JoshMcCullough commented 10 months ago

@fullonic / @nedngotass, I'll update the README with this recommendation:

To generate a 256-bit key (32 pairs of hex characters; 64 characters in total):

secret=$(openssl rand 32 | base64 | head -c 32)
binhex_secret=$(echo -n "${secret}" | xxd -p | paste -sd '')

echo "Secret:        ${secret}"
echo "Binhex Secret: ${hex_secret}"