I am unable to verify the JWT generated with the private RSA key using the public key.
But verifying with the private key works. Which leads me to think that the implementation does not factor the public key usage.
The expected behaviour is that I should be able to verify the token with the public key.
tsndr
commented
2 years ago
I am unable to verify the JWT generated with the private RSA key using the public key. But verifying with the private key works. Which leads me to think that the implementation does not factor the public key usage.
The expected behaviour is that I should be able to verify the token with the public key.
Steps to reproduce this.
Generate the private key openssl genpkey -algorithm RSA -out ./credentials/jwt-rsa-key -pkeyopt rsa_keygen_bits:4096
Generate the public key openssl rsa -pubout -in ./credentials/jwt-rsa-key -out ./credentials/jwt-rsa-key.pub
Code const jwt = require('@tsndr/cloudflare-worker-jwt');
let rsaPrivate = "-----BEGIN......."; // private key let rsaPublic = "-----BEGIN......"; // public key
let credential = { name: "Someone", email: "someone@email.com", nbf: Math.floor(Date.now() /1000) - 60, exp: Math.floor(Date.now() / 1000) + (10 * 60) // 10 mins expiry }
const token = await jwt.sign(credential, rsaPrivate, { algorithm: 'RS256' }); const isValid = await jwt.verify(token, rsaPublic, { algorithm: 'RS256' }); <------ fails here const decoded = jwt.decode(token);
The jwt.verify fails when rsaPublic is used. But it passes when rsaPrivate is used.