How to debug io.jwt.decode_verify when it failed to validate token

[ylbeethoven]

Hi,

I am trying to use OPA to validate JWTs and the example on the official doc works fine. However, I can not get it work with my real tokens and there is no further information to debug.

Here is the code and input data.

https://play.openpolicyagent.org/p/U5GQV404tz

Can anyone please advise what could be the issue?

I did a bit of research and it seems aud must be validated so I added it in. Is there any other constraints that I must put in to validate?

Thank you

[anderseknert]

Hi there!

You should remove the wrapping "input" attribute from the input object, as that's only part of the payload when calling the OPA servers v1/data API.

Other than that it looks fine, but the token is AFAICS expired.

But io.jwt.decode_verify is hard to debug. I normally opt to go with doing verification and decoding in two separate steps instead, then use normal Rego rules to verify the claims I want.

[ylbeethoven]

Thanks @anderseknert After removing input attribute and use a new token, it works.

I normally opt to go with doing verification and decoding in two separate steps instead

I understand there are io.jwt.decode and io.jwt.verify_xxx functions, how do you use the right verify_xxx when the token typ can be ES256 and RS256?

[anderseknert]

You'd have to decode it first and check the alg header, then call the appropriate verifier based on that.

Don't do this if you expect both symmetric and assymetric signatures though: https://portswigger.net/web-security/jwt/algorithm-confusion