search

hasura / graphql-engine

Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.
https://hasura.io
Apache License 2.0
31.16k stars 2.76k forks source link

Could not verify JWT: JWSError JWSInvalidSignature #5552

Open KirillSBarsukov opened 4 years ago

KirillSBarsukov commented 4 years ago

Hey folks! I am using JWT to authorize in Hasura. I set jwk_url to verify JWT. However, from time to time, I get that error: Could not verify JWT: JWSError JWSInvalidSignature #5552 I usually fix it by:

  1. Restarting the server
  2. Stop and remove image/container from docker
  3. docker-compose up -d Those steps help. Although, after some time the issue is back.
KirillSBarsukov commented 4 years ago

Hello everyone! The issue still exists. Once a day I get that error Could not verify JWT: JWSError JWSInvalidSignature What helps me is service docker restart command Can anyone suggest something? I am sure my JWT, Signature validator are valid because jwt.io validator says so. Thank you!

KirillSBarsukov commented 4 years ago

Hi all! I am back. The issue still exists. The only thing that helps is service docker restart command. I have to do it every morning. Otherwise, Hasura always returns Could not verify JWT: JWSError JWSInvalidSignature. I am going to clone an instance and connect it to the Auth0 provider. I want to exclude that our JWT is not a cause. I do not think it is because of our JWT server. At least, JWT.io always says that our toke is valid. This is my ENV HASURA_GRAPHQL_JWT_SECRET: '{"jwk_url":"https://domain.ca/getjwk.ajx?v=1", "audience": "Other", "issuer":"domain.ca"}' Hasura says that it JWSInvalidSignature, so I assume it has some problem with "jwk_url":"https://domain.ca/getjwk.ajx?v=1". At that point, I always go to https://8gwifi.org/jwkconvertfunctions.jsp and paste JWK, convert it to PEM. Then, I use PEM to verify my JWT in JWT.io. I always got a positive result.

Kind regards

tirumaraiselvan commented 4 years ago

This doesn't seem like a valid jwk_url (gives 404): https://domain.ca/getjwk.ajx?v=1

KirillSBarsukov commented 4 years ago

Hello! I appreciate your help. This is not valid. I had to replace the real domain by the fake one. You probably wanted to check the validity of JWT, JWK etc. They are valid. I cant share real domains without my boss's permission. If I get It, I will provide more details. Here a part of logs that contains the error. {"type":"http-log","timestamp":"2020-08-26T13:40:36.848+0000","level":"error","detail":{"operation":{"error":{"path":"$","error":"Could not verify JWT: JWSError JWSInvalidSignature","code":"invalid-jwt"},"request_id":"ab9f3d3f-1ab1-43c5-ba17-2d35d8bd92d1","response_size":94,"raw_query":"{\"operationName\":\"getSupplierDataByVid\",\"variables\":{\"vid\":\"20200522736\"},\"query\":\"query getSupplierDataByVid($vid: String!) {\\n suppliers(where: {supplier_vendorId: {_eq: $vid}}) {\\n id\\n supplier_vendorId\\n brand\\n year\\n location\\n description\\n company_name\\n address\\n phone_number\\n website\\n twitter\\n facebook\\n instagram\\n pinterest\\n postal_code\\n city\\n province\\n values\\n file {\\n file_path\\n __typename\\n }\\n collections {\\n id\\n title\\n description\\n products {\\n product_id\\n title\\n __typename\\n }\\n __typename\\n }\\n pickup_locations {\\n id\\n address_place\\n time\\n pickup_location_name\\n additional_information\\n __typename\\n }\\n shipping_information {\\n range\\n shipping_type\\n instructions\\n __typename\\n }\\n __typename\\n }\\n}\\n\"}"},"http_info":{"status":200,"http_version":"HTTP/1.0","url":"/v1/graphql/","ip":"2607:fea8:6900:7bf0:7869:b8ef:5640:d7c3, 162.158.74.248","method":"POST","content_encoding":null}}}

KirillSBarsukov commented 4 years ago

Okay, folks! I think I found a reason. Is there any way that Hasura caches JWK's response? Likely, I have JWK from yesterday(B), and from today(A). It seems that Hasura is trying to validate today's JWT by using yesterday's JWK. I asked sysadmins and they confirmed that we do not cache JWK response.

tirumaraiselvan commented 4 years ago

@KirillSBarsukov You might be right! If your JWK's are refreshing, does it follow the spec here: https://hasura.io/docs/1.0/graphql/core/auth/authentication/jwt.html#rotating-jwks

sbussard commented 3 years ago

Facing similar problem using keycloak.

manuelscurti commented 2 years ago

Any update on this? I am having the same issue. JWSInvalidSignature

zack294 commented 2 years ago

i run into the same issue. is there any update on it?

zack294 commented 2 years ago

Any update on this? I am having the same issue. JWSInvalidSignature

did u get a fix?

zack294 commented 2 years ago

so i was creating custom authentication, and adding x-hasura-role in the token fixed it for me.

theholla commented 1 year ago

Old thread but maybe this will help someone. I've encountered this error in a NextJS / Hasura app and it was due to caching in our server clashing with JWKs key rotation. I'd recommend comparing the signature in your access tokens with the keys present in your JWK url, and considering whether Hasura has the most recent keys.

In our case, our server was caching the JWKs response from our auth service. So there was a brief period during JWKs rotation when Hasura had an old version of the JWKs endpoint response. That response contained key A and B. But the latest version contained keys B and C instead. The auth service was sending newer access tokens signed with Key C. When Hasura tried to validate those new tokens against its cached response, it couldn’t find Key C so it sent a JWSInvalidSignature response to the client.