Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[JWT plugin] RS256 JWT not working #1458

Closed
ghost opened this issue Aug 2, 2016 · 5 comments
Closed

[JWT plugin] RS256 JWT not working #1458

ghost opened this issue Aug 2, 2016 · 5 comments

Comments

@ghost
Copy link

ghost commented Aug 2, 2016

### Summary

Hello,
It seems the KOng JWT plugin doesn't support external RS256 JWT token.

Steps To Reproduce

  1. Request a JWT to an external IDP:

curl --data "grant_type=password&client_id=curl&username=laurent&password=password" http://localhost:8080/auth/realms/realm1/protocol/openid-connect/token

A JWT formated access_token is well issued.

  1. Kong configuration:
  • Jwt plugin declaration: curl -X POST http://localhost:8001/apis/NodeAPI/plugins --data "name=jwt"

  • Consumer creation: curl -X POST http://localhost:8001/consumers --data "username=laurent"

  • jwt Credentials: curl -X POST http://localhost:8001/consumers/laurent/jwt --data "key=http://localhost:8080/auth/realms/realm1" --data "algorithm=RS256" --data "rsa_public_key=

    [[
    -----BEGIN PUBLIC KEY-----
    MIIEpAIBAAKCAQEAw5mp3MS3hVLkHwB9lMrEx34MjYCmKeH/XeMLexNpTd1FzuNv
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv+cCYsmU3jtz5JCEWZdK
    fRgjtrDtLc5gJ4G497G5ESIqdIZJ5PFCEGrJEM2vrZcRtuy4kWuciVfMgGcxMU91
    0MZD93fDVqd0fWyYqECSHk6fM0VjxlIYMQFUH7AJ5OZeywNqJoN+cR5kYJMZtfcz
    JlsOQ6lUGcQOkOhT0+5Z+ybFlybpYV/AVI2N2IDJM2RKFqbkZtwBP7TO3Rdwk4Gc
    mwVAcOdTVCvMAS2ziLkhvEQK4R1Ra8Yb9kylTkc2klOMhpg0fWO0314nQQvhiZM0
    Zgz8Bxx2Tz7WoWd1plcotg7xyfg+/vtOqYoNSEfTVh58UZMbT1rkGgC/7kiqqFrT
    iwIDAQAB
    -----END PUBLIC KEY-----
    ]]
    "

  1. Tested cases:
  2. With/without [[ ]]
  3. With --data or --data-urlencode for the rsa parameter
  4. With/without \n in the public key
  5. API call using JWT
    curl http://localhost:8000/greeting ?jwt=X.Y.Z
    With X.Y.Z my previously generated JWT.
  6. Error logged:
    [error] 109#0: *20714 lua entry thread aborted: runtime error: /usr/local/share/lua/5.1/kong/plugins/jwt/handler.lua:103: bad argument Polishing the controllers + more integration tests #4 to 'verify_signature' (crypto.pkey expected, got nil)

While going to /usr/local/share/lua/5.1/kong/plugins/jwt/handler.lua:103 it says:
-- Now verify the JWT signature
if not jwt:verify_signature(jwt_secret_value) then
return responses.send_HTTP_FORBIDDEN("Invalid signature")
end

And the jwt_secret_value in handler.lua says:
local jwt_secret_value = algorithm == "HS256" and jwt_secret.secret or jwt_secret.rsa_public_key
if conf.secret_is_base64 then
jwt_secret_value = jwt:b64_decode(jwt_secret_value)
end

That meens that jwt_secret_rsa_public_key isn't assigned to jwt_secret_value

Additional Details & Logs

  • Kong version 0.8.3
  • Kong configuration : JWT plugin
  • Operating System: Docker on Redhat
@Tieske
Copy link
Member

Tieske commented Aug 2, 2016

Can you check whether the new 0.9rc version still has the same behaviour? The jwt plugin got a few fixes.

@ghost ghost closed this as completed Aug 4, 2016
@Tieske
Copy link
Member

Tieske commented Aug 4, 2016

@lg1712 Care to comment what was wrong?

@ghost
Copy link
Author

ghost commented Aug 4, 2016

must have been unsaved :/
Actually, you need to write the RSA public key as followed:

--data-urlencode "rsa_public_key=[[
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv+cCYsmU3jtz5JCEWZdK
fRgjtrDtLc5gJ4G497G5ESIqdIZJ5PFCEGrJEM2vrZcRtuy4kWuciVfMgGcxMU91
0MZD93fDVqd0fWyYqECSHk6fM0VjxlIYMQFUH7AJ5OZeywNqJoN+cR5kYJMZtfcz
JlsOQ6lUGcQOkOhT0+5Z+ybFlybpYV/AVI2N2IDJM2RKFqbkZtwBP7TO3Rdwk4Gc
mwVAcOdTVCvMAS2ziLkhvEQK4R1Ra8Yb9kylTkc2klOMhpg0fWO0314nQQvhiZM0
Zgz8Bxx2Tz7WoWd1plcotg7xyfg+/vtOqYoNSEfTVh58UZMbT1rkGgC/7kiqqFrT
iwIDAQAB
-----END PUBLIC KEY-----
]]"

@Tieske
Copy link
Member

Tieske commented Aug 8, 2016

thx!

@senthil-nathan
Copy link

Retrying the above (with same public key) doesnt work in kong 0.11
Error message is {"message":"'rsa_public_key' format is invalid"}

I have raised an issue #2939

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants