Implementing RS256 with Auth0 - multiple secret-keys

ueberauth / guardian

Elixir Authentication

MIT License

3.44k stars 381 forks source link

Implementing RS256 with Auth0 - multiple secret-keys #469

Closed mumughal closed 6 years ago

mumughal commented 6 years ago

Hi, I am implementing Guardian with Auth0 with RS256 signed JWT tokens. I'm able to make it work. But Auth0 is suggesting that they may be using multiple public keys in the (near) future. Is there a way to support multiple keys in the Guardian module? For example a list of keys? How should this problem be solved?

Thank you so much in advance for your response. :)

yordis commented 6 years ago

using multiple public keys

@mumughal what do you mean, could you elaborate a little bit about what Guardian needs to do for you please.

I dont know if this would help you but https://github.com/ueberauth/guardian/issues/459 check that thread.

mumughal commented 6 years ago

Yeah, sure! I get a list of public keys from Auth0 to decode their Rs256 signed JWT. Public keys look something like this:

[{"alg":"RS256",
"kty":"RSA"
"use":"sig",
"x5c":["___cert___"],
"n":"______",
"e":"AQAB",
"kid":"keyid1",
"x5t":"_______"},
{"alg":"RS256",
"kty":"RSA"
"use":"sig",
"x5c":["___cert___"],
"n":"______",
"e":"AQAB",
"kid":"keyid2",
"x5t":"_______"}]}

Now the JWT header has the kid for the public signing key of the JWT that should be used for this verifying JWT. For example it looks like this:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "keyid1"
}

Now I have to make sure that guardian module is given the right key, right? Is there any support for this in Guardian? Otherwise the solution I have to consider is that every JWT received should be decoded first just to get the kid explicitly, which is not a clean solution :/ What would you recommend?

yordis commented 6 years ago

@mumughal I would recommend to follow #459 solution and create your own token for now.

@ueberauth/core any other suggestion here?

mumughal commented 6 years ago

This issue is referring to a similar problem. But my issue is a bit different. I am talking about decoding a token from a third party service where I have access only to the asymmetric public keys. Please check out the steps for validating RS256 JWT

hassox commented 6 years ago

@mumughal. Thanks for raising this issue. I've been thinking about it for a few days and finally it clicked for me today how to let this happen. Can you please take a look at #473 and let me know what you think?

mumughal commented 6 years ago

@hassox Thank you for addressing the issue. It looks like this PR should be able to fix my problem. :)

hassox commented 6 years ago

@mumughal the PR has merged. Just waiting to get the guides PR in before pushing a release - however we could cut a release and release the docs later. I don't want to get in the way of your dev for some guides.

mumughal commented 6 years ago

Perfect! I have already started working with it. Looks perfect! :)