jech
commented
1 year ago Are you sure that you're not double-encoding the token? As in doing URL-encoding of the token twice?
Also, could you please provide the token?
Closed printpagestopdf closed 1 year ago
jech
commented
1 year ago Are you sure that you're not double-encoding the token? As in doing URL-encoding of the token twice?
Also, could you please provide the token?
printpagestopdf
commented
1 year ago Sorry, forgot the token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJycnVzZXIiLCJhdWQiOiJodHRwczpcL1wvZ2FsZW5lLnNlcnZlci50c3Q6ODAwOFwvZ3JvdXBcL2V4dFwvIiwicGVybWlzc2lvbnMiOlsicHJlc2VudCJdLCJpYXQiOjE2NzEyMjUxMTcsImV4cCI6MTY3MTIyODcxNywiaXNzIjoiaHR0cHM6XC9cL2F1dGguZXhhbXBsZS5vcmcifQ.mIp1tTkp2DF0UKTh8dztV6JbSpfn7ev22v9YFFKj1f0
I used this as it is here as url arg ?token=
For generating the token I was using a PHP library ReallySimpleJWT, but tried it although with the python jwt
jech
commented
1 year ago MYz3IfCq4Yq-UmPdNqWEOdPl4C_m9imHHs9uve#DUJGQ
The # sign is not allowed in Base64. I think you made a mistake when you copied the key.
printpagestopdf
commented
1 year ago Thank you for the fast answer!
It's funny, I followed this rule: https://github.com/RobDWaller/ReallySimpleJWT#secret-strength (so yes, I changed the key from your example slightly) not sure if the security consideration that is mentione is correct?
But https://dinochiesa.github.io/jwt/ validates it as correct.
Or am I absolutely wrong? Is the "k": .... the secret in base64 ???
jech
commented
1 year ago Is the "k": .... the secret in base64 ???
Yes. See RFC 7518 Section 6.4.1:
The "k" (key value) parameter contains the value of the symmetric (or other single-valued) key. It is represented as the base64url encoding of the octet sequence containing the key value.
User-provided passphrases tend to be weak. For shared tokens between servers, it is better to generate the secrets using a strong random number generator. The jose utility can be used to do that:
jose jwk gen -i '{"alg": "HS256"}'If you think it's useful, I can write a utility to generate suitable keys and include it with Galene.
printpagestopdf
commented
1 year ago Great, that was my fault and solves my Problem!
(I am able to read, but I probably reading the wrong things =) )
Tried to set up an authPortal, but token interpretation at the galene server always fails with:
Token authentication: illegal base64 data at input byte 38using the key from your example: "authKeys": [{ "kty": "oct", "alg": "HS256", "k": "MYz3IfCq4Yq-UmPdNqWEOdPl4C_m9imHHs9uve#DUJGQ", "kid": "20211030" }],Double checked the token by https://dinochiesa.github.io/jwt/ and all seems to be ok.
I found some similar error reports when using go jwk library, but not sure if this is connected.