garyf / json_web_token_ex Goto Github PK
View Code? Open in Web Editor NEWAn Elixir implementation of the JSON Web Token (JWT) Standard, RFC 7519
License: MIT License
An Elixir implementation of the JSON Web Token (JWT) Standard, RFC 7519
License: MIT License
We just saw this in our application. I haven't had time to track it down, but was wondering if it was something easy / obvious. Thanks for your help!
Elixir.FunctionClauseError: no function clause matching in JsonWebToken.Jws.header_map/1
File "lib/json_web_token/jws.ex", line 94, in JsonWebToken.Jws.header_map({:error, :invalid, 0})
File "lib/json_web_token/jws.ex", line 82, in JsonWebToken.Jws.validate_alg_matched/2
File "lib/json_web_token/jws.ex", line 77, in JsonWebToken.Jws.verify/3
File "lib/json_web_token/jwt.ex", line 87, in JsonWebToken.Jwt.verify/2
File "lib/odin_auth/bearer_user.ex", line 46, in Odin.Auth.BearerUser.jwt_decode/1
File "lib/odin_auth/bearer_user.ex", line 37, in Odin.Auth.BearerUser.decode/1
File "lib/odin_client_api/plug/bearer_user_auth.ex", line 26, in Odin.ClientAPI.Plug.BearerUserAuth.call/2
File "web/router.ex", line 34, in Odin.ClientAPI.Router.bearer_user_auth/2
The latest version in github is not currently available in hex, which makes it difficult to use it as a dependency for other hex packages.
iex(1)> JsonWebToken.verify("foobar", %{key: "barbaz"})
** (RuntimeError) Failed to decode header from JSON
(json_web_token) lib/json_web_token/jws.ex:95: JsonWebToken.Jws.header_map/1
(json_web_token) lib/json_web_token/jws.ex:82: JsonWebToken.Jws.validate_alg_matched/2
(json_web_token) lib/json_web_token/jws.ex:77: JsonWebToken.Jws.verify/3
(json_web_token) lib/json_web_token/jwt.ex:89: JsonWebToken.Jwt.verify/2
I would expect that it should return {:error, "invalid"}
or something similar, as it isn't the banged verify!/2
version of the function.
Hello @garyf,
Any plans to push a new release out?
I'm sure you know already but the current version is broken with OTP 20 (and there is already a fix in master!).
Thanks!
It appears the latest erlang release has removed :crypto.mpint/1
. This is causing the JsonWebToken.Algorithm.Rsa.validate_key_size/1
to break. I think we will need a work around for validating key size.
The idiomatic Elixir way would be to accept a Keyword list for options, not a map.
Maybe the API can be changed to accept both for now, and eventually deprecate the map and remove support in a future major release?
I'd be happy to provide a patch.
Hey, thanks for this great lib!
I had a bit of trouble switching from HS256 to RS256, as the documentation only states to include < RSA private key >
in the options. I think it would be worthwhile to reformat this into e.g. the following:
# sign with RSA SHA256 algorithm
private_key = JsonWebToken.Algorithm.RsaUtil.private_key("path/to/", "key.pem")
opts = %{
alg: "RS256",
key: private_key
}
Hey,
I was checking the code and noticed that in this library secp256k1 is used as opposed to secp256r1
.
Is there any reason for that?
Looks like P-256
is secp256r1
.
The JWA spec defines ES256 as ECDSA using P-256 and SHA-256 where P-256 is another name for secp256r1
-- Note that [FIPS186-3] refers to secp192r1 as P-192, secp224r1 as
-- P-224, secp256r1 as P-256, secp384r1 as P-384, and secp521r1 as
-- P-521.
The reason that I'm asking is I have problem verifying a JWT with key pair that generated with secp256r1
.
{public_key, private_key} = :crypto.generate_key(:ecdh, :secp256r1)
jwt = JsonWebToken.sign(%{foo: "bar"}, %{alg: "ES256", key: private_key})
iex(98)> JsonWebToken.verify(jwt, %{alg: "ES256", key: public_key})
{:error, "invalid"}
Hi, this may very well be a noob question, but I am completely stuck with the verify function.
I'm basically doing this:
JsonWebToken.verify("a_working_jwt_here", %{alg: "HS256", key: "a_corresponding_key_that_is_also_good_here"})
everything is working beautifully on my dev machine (osx), but on the production server (ubuntu 14.04) it just doesn't work. I am certain that the token is good and have verified it several times on jwt.io.
On the server I get this exception:
%UndefinedFunctionError{arity: 2, function: :verify, module: JsonWebToken, reason: nil}
I am at a complete loss, (I've just started with Elixir).
Server is running Elixir 1.3.2.
Any help is much appreciated!
Thanks in advance, Marcus
I am attempting to decode a JWT from Google via OpenID Connect. The public certs are here: https://www.googleapis.com/oauth2/v3/certs and I get the following error:
** (Protocol.UndefinedError) protocol Enumerable not implemented for "d6eb2094ac2b7f5763dd34ca277a3450efbdb6a9"
(elixir) lib/enum.ex:1: Enumerable.impl_for!/1
(elixir) lib/enum.ex:116: Enumerable.reduce/3
(elixir) lib/enum.ex:726: Enum.fetch/2
(elixir) lib/enum.ex:315: Enum.at/3
(json_web_token) lib/json_web_token/algorithm/rsa.ex:46: JsonWebToken.Algorithm.Rsa.modulus/1
(json_web_token) lib/json_web_token/algorithm/rsa.ex:56: JsonWebToken.Algorithm.Rsa.validate_key_size/1
(json_web_token) lib/json_web_token/algorithm/rsa.ex:41: JsonWebToken.Algorithm.Rsa.verify?/4
(json_web_token) lib/json_web_token/jws.ex:102: JsonWebToken.Jws.verified/3
It seems that LOC is expecting an Enumerable value?
Hello,
I am trying to verify a JWT token using RS256 and an RSA public key. However, I keep getting "ArgumentError"
What is the correct way to pass in RSA key?
This is what I am doing:
[{_, key, _}] = "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n"
|> :public_key.pem_decode
token = "__header__.__payload__.__sig__"
JsonWebToken.verify(token, %{alg: "RS256", key: key})
This is the error I get:
** (ArgumentError) argument error
(crypto) :crypto.pkey_verify_nif(:rsa, :sha256, "header.payload.sig", <<7, 49, 241, 224, ..., 85, 4, 3, 19, ...>>, [])
(crypto) crypto.erl:420: :crypto.verify/6
(json_web_token) lib/json_web_token/jws.ex:103: JsonWebToken.Jws.verified/3
(json_web_token) lib/json_web_token/jwt.ex:89: JsonWebToken.Jwt.verify/2
I think the newer version of crypto.hmac has 4 arguments instead of 3 (OTP 20 and above?).
** (UndefinedFunctionError) function :crypto.hmac/3 is undefined or private
(crypto 5.0) :crypto.hmac(:sha256, "xxxxxxxxxxxxxxxxxxxxxxxx", "xxxxxxxxxxxxxxxxxxxxxxxxxxx")
lib/json_web_token/algorithm/hmac.ex:35: JsonWebToken.Algorithm.Hmac.verify?/4
lib/json_web_token/jws.ex:103: JsonWebToken.Jws.verified/3
lib/json_web_token/jwt.ex:89: JsonWebToken.Jwt.verify/2
Hello @garyf,
thanks for the library, though it took a time to find my way through it to sign an Google API's service-to-service request as per https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests
they require following claims to be present: [iss, scope, aud, exp, iat]
but even on the 3rd claim library throwing an "message too large error"
JsonWebToken.sign(
%{
iss: "zzzzzzzzzzzz-88b590995a01m8krs6sdrcmg8m6nkxxx@developer.gserviceaccount.com",
scope: "https://www.googleapis.com/auth/devstorage.full_control",
aud: "https://www.googleapis.com/oauth2/v3/token"
},
%{
alg: "RS256",
key: JsonWebToken.Algorithm.RsaUtil.private_key(dir, key)
})
** (RuntimeError) Message too large
lib/json_web_token/algorithm/rsa.ex:70: JsonWebToken.Algorithm.Rsa.large_message/1
lib/json_web_token/algorithm/rsa.ex:25: JsonWebToken.Algorithm.Rsa.sign/3
lib/json_web_token/jws.ex:61: JsonWebToken.Jws.signature/3
lib/json_web_token/jws.ex:25: JsonWebToken.Jws.sign/3
I understand that this is done on purpose https://github.com/garyf/json_web_token_ex/blob/master/lib/json_web_token/algorithm/rsa.ex#L12
but in the referenced document I didn't find the part where it is said that message couldn't be over 245 bytes long. That even sounds doubtful.
Am I doing something wrong?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.