garyf / json_web_token_ex Goto Github PK

We just saw this in our application. I haven't had time to track it down, but was wondering if it was something easy / obvious. Thanks for your help!

Elixir.FunctionClauseError: no function clause matching in JsonWebToken.Jws.header_map/1
  File "lib/json_web_token/jws.ex", line 94, in JsonWebToken.Jws.header_map({:error, :invalid, 0})
  File "lib/json_web_token/jws.ex", line 82, in JsonWebToken.Jws.validate_alg_matched/2
  File "lib/json_web_token/jws.ex", line 77, in JsonWebToken.Jws.verify/3
  File "lib/json_web_token/jwt.ex", line 87, in JsonWebToken.Jwt.verify/2
  File "lib/odin_auth/bearer_user.ex", line 46, in Odin.Auth.BearerUser.jwt_decode/1
  File "lib/odin_auth/bearer_user.ex", line 37, in Odin.Auth.BearerUser.decode/1
  File "lib/odin_client_api/plug/bearer_user_auth.ex", line 26, in Odin.ClientAPI.Plug.BearerUserAuth.call/2
  File "web/router.ex", line 34, in Odin.ClientAPI.Router.bearer_user_auth/2

The latest version in github is not currently available in hex, which makes it difficult to use it as a dependency for other hex packages.

iex(1)> JsonWebToken.verify("foobar", %{key: "barbaz"})    
** (RuntimeError) Failed to decode header from JSON
    (json_web_token) lib/json_web_token/jws.ex:95: JsonWebToken.Jws.header_map/1
    (json_web_token) lib/json_web_token/jws.ex:82: JsonWebToken.Jws.validate_alg_matched/2
    (json_web_token) lib/json_web_token/jws.ex:77: JsonWebToken.Jws.verify/3
    (json_web_token) lib/json_web_token/jwt.ex:89: JsonWebToken.Jwt.verify/2

I would expect that it should return {:error, "invalid"} or something similar, as it isn't the banged verify!/2 version of the function.

Hello @garyf,

Any plans to push a new release out?

I'm sure you know already but the current version is broken with OTP 20 (and there is already a fix in master!).

Thanks!

It appears the latest erlang release has removed :crypto.mpint/1. This is causing the JsonWebToken.Algorithm.Rsa.validate_key_size/1 to break. I think we will need a work around for validating key size.

The idiomatic Elixir way would be to accept a Keyword list for options, not a map.

Maybe the API can be changed to accept both for now, and eventually deprecate the map and remove support in a future major release?

I'd be happy to provide a patch.

Hey, thanks for this great lib!

I had a bit of trouble switching from HS256 to RS256, as the documentation only states to include < RSA private key > in the options. I think it would be worthwhile to reformat this into e.g. the following:

# sign with RSA SHA256 algorithm
private_key = JsonWebToken.Algorithm.RsaUtil.private_key("path/to/", "key.pem")
opts = %{
  alg: "RS256",
  key: private_key
}

Hey,

I was checking the code and noticed that in this library secp256k1 is used as opposed to secp256r1.

Is there any reason for that?

Looks like P-256 is secp256r1.

• auth0/node-jsonwebtoken#97 (comment)

The JWA spec defines ES256 as ECDSA using P-256 and SHA-256 where P-256 is another name for secp256r1

• https://www.ietf.org/rfc/rfc5480.txt

-- Note that [FIPS186-3] refers to secp192r1 as P-192, secp224r1 as
-- P-224, secp256r1 as P-256, secp384r1 as P-384, and secp521r1 as
-- P-521.

The reason that I'm asking is I have problem verifying a JWT with key pair that generated with secp256r1.

{public_key, private_key} = :crypto.generate_key(:ecdh, :secp256r1)
jwt = JsonWebToken.sign(%{foo: "bar"}, %{alg: "ES256", key: private_key})
iex(98)> JsonWebToken.verify(jwt, %{alg: "ES256", key: public_key})
{:error, "invalid"}

Hi, this may very well be a noob question, but I am completely stuck with the verify function.

I'm basically doing this:
JsonWebToken.verify("a_working_jwt_here", %{alg: "HS256", key: "a_corresponding_key_that_is_also_good_here"})

everything is working beautifully on my dev machine (osx), but on the production server (ubuntu 14.04) it just doesn't work. I am certain that the token is good and have verified it several times on jwt.io.

On the server I get this exception:

%UndefinedFunctionError{arity: 2, function: :verify, module: JsonWebToken, reason: nil}

I am at a complete loss, (I've just started with Elixir).

Server is running Elixir 1.3.2.

Any help is much appreciated!

Thanks in advance, Marcus

I am attempting to decode a JWT from Google via OpenID Connect. The public certs are here: https://www.googleapis.com/oauth2/v3/certs and I get the following error:

** (Protocol.UndefinedError) protocol Enumerable not implemented for "d6eb2094ac2b7f5763dd34ca277a3450efbdb6a9"
            (elixir) lib/enum.ex:1: Enumerable.impl_for!/1
            (elixir) lib/enum.ex:116: Enumerable.reduce/3
            (elixir) lib/enum.ex:726: Enum.fetch/2
            (elixir) lib/enum.ex:315: Enum.at/3
    (json_web_token) lib/json_web_token/algorithm/rsa.ex:46: JsonWebToken.Algorithm.Rsa.modulus/1
    (json_web_token) lib/json_web_token/algorithm/rsa.ex:56: JsonWebToken.Algorithm.Rsa.validate_key_size/1
    (json_web_token) lib/json_web_token/algorithm/rsa.ex:41: JsonWebToken.Algorithm.Rsa.verify?/4
    (json_web_token) lib/json_web_token/jws.ex:102: JsonWebToken.Jws.verified/3

It seems that LOC is expecting an Enumerable value?

Hello,

I am trying to verify a JWT token using RS256 and an RSA public key. However, I keep getting "ArgumentError"

What is the correct way to pass in RSA key?

This is what I am doing:

[{_, key, _}] = "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n"
|> :public_key.pem_decode

token = "__header__.__payload__.__sig__"
JsonWebToken.verify(token, %{alg: "RS256", key: key})

This is the error I get:

** (ArgumentError) argument error
(crypto) :crypto.pkey_verify_nif(:rsa, :sha256, "header.payload.sig", <<7, 49, 241, 224, ..., 85, 4, 3, 19, ...>>, [])
(crypto) crypto.erl:420: :crypto.verify/6
(json_web_token) lib/json_web_token/jws.ex:103: JsonWebToken.Jws.verified/3
(json_web_token) lib/json_web_token/jwt.ex:89: JsonWebToken.Jwt.verify/2

I think the newer version of crypto.hmac has 4 arguments instead of 3 (OTP 20 and above?).

** (UndefinedFunctionError) function :crypto.hmac/3 is undefined or private
    (crypto 5.0) :crypto.hmac(:sha256, "xxxxxxxxxxxxxxxxxxxxxxxx", "xxxxxxxxxxxxxxxxxxxxxxxxxxx")
    lib/json_web_token/algorithm/hmac.ex:35: JsonWebToken.Algorithm.Hmac.verify?/4
    lib/json_web_token/jws.ex:103: JsonWebToken.Jws.verified/3
    lib/json_web_token/jwt.ex:89: JsonWebToken.Jwt.verify/2

Hello @garyf,
thanks for the library, though it took a time to find my way through it to sign an Google API's service-to-service request as per https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests
they require following claims to be present: [iss, scope, aud, exp, iat]

but even on the 3rd claim library throwing an "message too large error"

JsonWebToken.sign(
  %{
    iss: "zzzzzzzzzzzz-88b590995a01m8krs6sdrcmg8m6nkxxx@developer.gserviceaccount.com", 
    scope: "https://www.googleapis.com/auth/devstorage.full_control", 
    aud: "https://www.googleapis.com/oauth2/v3/token"
  }, 
  %{
    alg: "RS256",
    key: JsonWebToken.Algorithm.RsaUtil.private_key(dir, key)
  })

** (RuntimeError) Message too large
    lib/json_web_token/algorithm/rsa.ex:70: JsonWebToken.Algorithm.Rsa.large_message/1
    lib/json_web_token/algorithm/rsa.ex:25: JsonWebToken.Algorithm.Rsa.sign/3
    lib/json_web_token/jws.ex:61: JsonWebToken.Jws.signature/3
    lib/json_web_token/jws.ex:25: JsonWebToken.Jws.sign/3

I understand that this is done on purpose https://github.com/garyf/json_web_token_ex/blob/master/lib/json_web_token/algorithm/rsa.ex#L12
but in the referenced document I didn't find the part where it is said that message couldn't be over 245 bytes long. That even sounds doubtful.

Am I doing something wrong?