search

TeslaGov / ngx-http-auth-jwt-module

Secure your NGINX locations with JWT
MIT License
308 stars 118 forks source link

failed to parse JWT, error code 22 #86

Closed alankar23 closed 1 year ago

alankar23 commented 1 year ago

Hi, I am trying to implement HS256 based validation. But Iam getting 401 and
failed to parse JWT, error code 22, client: 192.168.1.10, server: , request: "GET /api/1 HTTP/1.1", host: "192.168.1.17" in error logs.

My conf looks like this 

server {
    listen       80;
        error_log /var/log/nginx/error-1.log debug;
        access_log /var/log/nginx/access-1.log main_ext;
        auth_jwt_enabled on;
        auth_jwt_key "jXnZr4u7x!A%D*G-KaPdSgVkYp3s5v8y";
        auth_jwt_algorithm HS256;

location / {
    proxy_pass http://localhost:808/dev;
}}

Any help would be really appreciated.

naerymdan commented 1 year ago

Almost the same here, but with HS256:

      auth_jwt_enabled on;
      auth_jwt_algorithm RS256;
      auth_jwt_use_keyfile on;
      auth_jwt_keyfile_path "xxxxxxx";
Saamuel commented 1 year ago

I have the same problem. Please tell me the correct settings. failed to parse JWT, error code 22 nginx 1.18 https://stackoverflow.com/questions/75891325/nginx-jwt-validation-failed-to-parse-jwt

alankar23 commented 1 year ago

To resolve the issue, I encoded the key in binhex format for nginx and use decoded key to generate the token.

Saamuel commented 1 year ago

To resolve the issue, I encoded the key in binhex format for nginx and use decoded key to generate the token.

could you write a short instruction on how you did it? thank you for help

JohnPeacock commented 1 year ago

binhex is not encryption and this token is essentially plaintext. The fact that is only exists on the server side makes that less of an issue, but it's not a good idea to do it this way.

JoshMcCullough commented 1 year ago

What @JohnPeacock said is correct, allow me to elaborate.

The fact that is only exists on the server side makes that less of an issue, but it's not a good idea to do it this way.

This is only an issue when using the auth_jwt_key directive -- which indeed does require that the key be provided in binhex format. This is pointed out in the README but we will make it a more clear by calling it out directly in the directives table.

Here is a tool you may use to convert text to/from binhex: http://bin-hex-converter.online-domain-tools.com

If you do not want to include an almost-plain-text key in your NGINX config, please use these alternate directives e.g.:

auth_jwt_use_keyfile on;
auth_jwt_keyfile_path "/path/to/pub_key.pem";