search

ggicci / caddy-jwt

🆔 Caddy Module JWT Authentication
MIT License
74 stars 20 forks source link

Cannot get it to work with pem #57

Closed tforster closed 1 year ago

tforster commented 1 year ago

Hi, we have been trying to get caddy-jwt to work in our environment for a few days now to no avail.

We did realise earlier today that the latest 0.9.2 release requires Caddy 2.7.3 which does not appear to have hit Dockerhub yet. So we are using an earlier version. E.g

FROM caddy:2.7-builder AS builder
RUN xcaddy build --with github.com/ggicci/caddy-jwt@00ce67ff5c824293c51531287caab2ed0fe76743
<snip>

The above is not throwing any errors and we are now testing our Caddyfile

{
    auto_https off
    order jwtauth before basicauth
}

:80 {
    root * /srv
    file_server {
        index index.html
    }
    route {
        jwtauth {
            sign_alg RS256
            sign_key REDACTED
            from_query access_token token
            user_claims openid userprofile email
        }
    }
}

The errors we see now all appear to relate to signing. We started off using jwk_url pointing to https://login.microsoftonline.com/common/discovery/keys and that didn't work. So we decided to convert our key to a PEM file in the format 

-----BEGIN RSA PUBLIC KEY-----
REDACTED
REDACTED
REDACTED
REDACTED
REDACTED
-----END RSA PUBLIC KEY-----

But could not see how to add that to the Caddyfile according to the instructions in the README since it is multiple lines. We tried making it all one line with escaped line breaks (e.g. \n). We tried with and without the --- HEADER --- strings. We have tried base64 encoding it. e.g

sign_key LS0tLS1CRUdJTiBS... base64 encoded PEM sign_key -----BEGIN CERTIFICATE-----\nMIIDBTCCAe2gAwIBAgIQGQ6YG6NleJxJGDRAwAd... replaced line endings with escaped new lines

What is the correct way to represent a pem file in the sign_key variable?

We are passing our JWT in the query string of a GET, e.g. http://localhost:9990/index.html?token=eyJ0eXAiOiJKV1QiLCJu... where the token decodes properly in https://jwt.io (It should be noted that jwt.io always shows Invalid Signature, but we have come to expect that from experience with other providers)

We have since learned that Microsoft provides https://jwt.ms that is MS specific (version of a standard??). Using that I believe I have deduced the correct audience and issuer whitelists as our client id and tenant id respectivley

But the best we can get is 

{"level":"error","ts":1692049376.9480076,"logger":"http.authentication.providers.jwt","msg":"invalid token","token_string":"eyJ0eXAiOiJKV1Qi…qPsS9swO7UsTwypw","error":"could not verify message using any of the signatures or keys"}
{"level":"error","ts":1692049376.9480765,"logger":"http.handlers.authentication","msg":"auth provider returned error","provider":"jwt","error":"could not verify message using any of the signatures or keys"}

I suspect a lot of our challenge is with Microsoft specific values. But knowing how to properly form a sign_key for a multi-line pem will help.

ggicci commented 1 year ago

Hi @tforster, thanks for the report.

What is the correct way to represent a pem file in the sign_key variable?

Please see this comment.

The errors we see now all appear to relate to signing. We started off using jwk_url pointing to https://login.microsoftonline.com/common/discovery/keys and that didn't work.

I'm curious why it happened. Could you share some related error information? So that we can do some diagnosis.