Tokens generated by Guardian can't be verified using jwerl

ueberauth / guardian

Elixir Authentication

MIT License

3.43k stars 382 forks source link

Tokens generated by Guardian can't be verified using jwerl #582

Closed cgrtrifork closed 5 years ago

cgrtrifork commented 5 years ago

Hi,

After having trouble implementing an ES512 token generation/verification system, I think I found out Guardian and Erlang's jwerl libraries treat signing and verifying differently. Using the same private keys, I encode_and_sign some data, and then I try to verify it using jwerl (1.0.0) but the verification fails. I'm using Phoenix 1.3.0 and Guardian 1.1.1. I'll also check with jwerl's contributors. Thank you!

Hanspagh commented 5 years ago

Hi. Thank you for bringing this up. Just to confirm, you are using this support lib. Would it be possible for you to send your guardian config?

cgrtrifork commented 5 years ago

Hi @Hanspagh

No, I'm not using that support library. Why do I need it for? This is my Guardian configuration:

config :myapp, Auth.Guardian,
  issuer: "myapp",
  allowed_algos: ["ES512"],
  secret_fetcher: Auth.Guardian.SecretFetcher

And this is my SecretFetcher:

  use Guardian.Token.Jwt.SecretFetcher

  def fetch_signing_secret(_module, _opts) do
    secret =
      "path_to_private.pem"
      |> fetch()

    {:ok, secret}
  end

  def fetch_verifying_secret(_module, _headers, _opts) do
    secret =
      "path_to_public.pem"
      |> fetch()

    {:ok, secret}
  end

  defp fetch(relative_path) do
    :code.priv_dir(:myapp)
    |> Path.join(relative_path)
    |> JOSE.JWK.from_pem_file()
  end

Hanspagh commented 5 years ago

Sorry my bad , I mistook the name jwerl as JWE (JSON Web Encryption) instead of JWerl (Json webtoken erlang). I will investigate with your provided config

Hanspagh commented 5 years ago

I have just successfully signed a JWT with Guardian and then verified it with Jwerl. Here is the code I used

private_key = JOSE.JWK.from_pem_file("rsa-2048.pem")
jws = %{"alg": "RS512" }
{_, token} =JOSE.JWT.sign(private_key, jws, jwt) |> JOSE.JWS.compact
{ok, public_pem} = File.read("rsa-2048.pub")
Jwerl.verify(token, :rs512, public_pem)

I would make sure that your private and public key files are in the correct format. I saved them both as pem as you can see.

I have made this repo with a config to sign with pem files https://github.com/Hanspagh/Guardian_pemfile_config

Hanspagh commented 5 years ago

Closing this for now