search

frasertweedale / hs-jose

Haskell JOSE and JWT library
http://hackage.haskell.org/package/jose
Apache License 2.0
122 stars 46 forks source link

JWT Invalid #56

Closed marsouin closed 6 years ago

marsouin commented 6 years ago

Hi, I have a JWT and JWK issued by Auth0 that get a systematic JWSError JWSInvalidSignature on validation.

Here's a sample JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlJEWTVSVEpFTVRReFF6WTBPVFkzT0VORk1UUXpPVEU1UXpORFFVSTBNVVl4UkRnMU5VUXdSUSJ9.eyJpc3MiOiJodHRwczovL2xvYmJ5Y2l0b3llbi5ldS5hdXRoMC5jb20vIiwic3ViIjoibFptdTQzdDJXQjBrWm1sQzV3ZmxoTVVQOFY3bzlNemRAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vd3d3LmxvYmJ5LWNpdG95ZW4tYXBpLWF1dGguZnIvIiwiZXhwIjoxNTA2NDk5ODExLCJpYXQiOjE1MDY0MTM0MTEsInNjb3BlIjoiIn0.NxFEQy_vhFR_zjkNqq8wkCmdhs8sdyiB4SNuh3sKDwgGZpxQAq5CsqYzmkLl5A9nF1wRp0lwyYVncx3_ctaILJ92cpoM2478CNzDPzCKTydUzABgwK6Jo9L-R8A2FGjPRtMeMxpkhTTlclEo6ERIXocVQa6-Oeji42nwmQEjJkkdX4iTBl0DgsqrfrfPPxa1XtvF5MyjT6U8XlV_65C1zXcayhA2nhykIhbw5atht_yUkrhdbYEihZblaUTy7cfmEYpqeNTJxLRyQ30wPvccXi2bQgq7Sq7VIFP_S-dHERk6LXTbase0bu7QR_XA5w6lyOs7oXVbF5Jr8adrMh2R6g

and here's the JWK

{"alg":"RS256","kty":"RSA","use":"sig","x5c":["MIIDDTCCAfWgAwIBAgIJTegPuD4Mvm6sMA0GCSqGSIb3DQEBCwUAMCQxIjAgBgNVBAMTGWxvYmJ5Y2l0b3llbi5ldS5hdXRoMC5jb20wHhcNMTcwODAyMTQ1MjM2WhcNMzEwNDExMTQ1MjM2WjAkMSIwIAYDVQQDExlsb2JieWNpdG95ZW4uZXUuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvVzlh+IW4I95QelKKZyDjbVv0tLBvEo/jE9ndTCigjPHrtHzjAg+aB+u/KBYkF9CxT8nRWutm9GB9tXvg7z7n4U2fd4qZGLH6xFmIzqAJKwe7Z3l2fSqI1jJw4KLfYfGvAqP9qrETb8cH7jpEoI9nXp7a0GQ/BftQUk0qmczN9yLp+k0UGXtUNrJXJ7hWjpVcG7wRGHDZ9plbQZ9WmMJUFlPIn7Yvar1GhZNozz+37pD3a/DkE+uIQ1zhgMRcZhl6Sb3zjKn7l7XrMjuZJ7afSNHaXicrIhHS2/J3FtmDlR4/cha4H/jBVKzlUd+zB+pFMoOd1hnxE773b8ZVQ9dcwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSzoceBhNJklZTlVIox/Kpq1cWUszAOBgNVHQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADggEBAKFgVJ/SAcp32TsW/RlhjRBcSZ3cQKGjpMGs2FMm4dvZocPSIezK8KQt9Vq6K+H6/gePmTa9/z1wQTWsRSI+a6/RJ8rXbLiHovuFC5ilpcDGrBJj2KDkSYPfc0E9B0eXeeZSe7TVY6gbOKvut3mVESuZP/+r36ieyIiIVWIkoZrOULniCUxClFRRNYfl9AnvC18buxK69MjNNUYtvmL1hE9CWyptBM1Pjlo1e4qMMusn9Jm2EHNf9j0e0b1gaV4z4OL+uOE756P9ef8XxLbE5cuqt3fDXi9qFLvTy0wlFaZB1P39rt6JkWTiilB4dT06JxursJTEY0fKtWimKbhQd3Y="],"n":"vVzlh-IW4I95QelKKZyDjbVv0tLBvEo_jE9ndTCigjPHrtHzjAg-aB-u_KBYkF9CxT8nRWutm9GB9tXvg7z7n4U2fd4qZGLH6xFmIzqAJKwe7Z3l2fSqI1jJw4KLfYfGvAqP9qrETb8cH7jpEoI9nXp7a0GQ_BftQUk0qmczN9yLp-k0UGXtUNrJXJ7hWjpVcG7wRGHDZ9plbQZ9WmMJUFlPIn7Yvar1GhZNozz-37pD3a_DkE-uIQ1zhgMRcZhl6Sb3zjKn7l7XrMjuZJ7afSNHaXicrIhHS2_J3FtmDlR4_cha4H_jBVKzlUd-zB-pFMoOd1hnxE773b8ZVQ9dcw","e":"AQAB","kid":"RDY5RTJEMTQxQzY0OTY3OENFMTQzOTE5QzNDQUI0MUYxRDg1NUQwRQ","x5t":"RDY5RTJEMTQxQzY0OTY3OENFMTQzOTE5QzNDQUI0MUYxRDg1NUQwRQ"}

I can't seem to find the issue as it validates well on jwt.io...

Thanks a lot for your help!

frasertweedale commented 6 years ago

Hello. This appears to be same issue as https://github.com/frasertweedale/hs-jose/issues/54. At least, the JWK has that problem.

So I can confirm could you please supply a minimal program to reproduce this issue?

marsouin commented 6 years ago

Thanks a lot for your answer, doesn't look good 😢 You can try a simple GET request on http://139.59.161.10:3000/deputes (we're using Postgrest). I'm chatting with them about the same issue and they're the ones who recommended I post here ;)

frasertweedale commented 6 years ago

@marsouin the thing is, I can't quite work out why it's failing with JWSInvalidSignature. If you are trying to use that JWK to validate the JWT, I would think it would fail during JWK parsing.

Like I said, can you give me a minimal program that demonstrates how you are attempting to validate the JWT?

Here is another suggestion in relation to the x5t parameter: the JWK itself is not signed - you could modify the x5t before parsing the JWK, i.e. you would base64url-decode, hex-decode, then base64url-encode the parameter value, in order to get the JWK in an RFC-compliant form that hs-jose will accept.

marsouin commented 6 years ago

@frasertweedale right, sorry, I'm terrible at Haskell is the thing. I'm going to try your suggestion and or find someone here who could help me write a minimal program. Keep you posted within the day ;)

frasertweedale commented 6 years ago

@marsouin cheers (FYI I am in UTC+10).

BTW, you are not terrible at Haskell, you are a new learner :) Enjoy the ride.

marsouin commented 6 years ago

@frasertweedale oh well, that might be tomorrow for you then haha. True that ;) I will!

marsouin commented 6 years ago

I've just gotten rid of the x5t & x5c parameters and got the next error, which is JWTNotInAudience. But I guess that's more of a postgrest issue ;)

frasertweedale commented 6 years ago

@marsouin you have to set the audience predicate in the JWT validation settings to test whether the audience claim (if present) is acceptable.

See the doJwtVerify example at http://hackage.haskell.org/package/jose-0.6.0.3/docs/Crypto-JWT.html, specifically:

  let config = defaultJWTValidationSettings (== "bob")

If you don't care at all you can just set the predicate to (const True).

frasertweedale commented 6 years ago

@marsouin what is the outcome? Shall I close this issue?

marsouin commented 6 years ago

I ended up verifying the audience perfectly, you can close this!

frasertweedale commented 6 years ago

Glad to hear. Thanks!