https://cerbos.dev logo
#community
Title
# community
c

Chris Arderne

06/23/2023, 10:11 AM
Using Cerbos from client code (server exposed to web over HTTP)
Just got set up with Cerbos, super quick and easy, very impressed. Thanks for the great docs šŸ™‚ For our experiment we're using it from frontend code using the
HTTP
module. This obviously means that the Cerbos server is exposed to the public internet. I'm a bit uncomfortable with this, but you support this pattern so I thought there must be some sense to it!
Only one question really, I assume JWT is the only method available for security on the HTTP endpoint?
c

Charith (Cerbos)

06/23/2023, 10:32 AM
Hey, I'll point you to a couple of replies to similar questions: ā€¢ https://community.cerbos.dev/t/11199074/hi-i-m-trying-to-deploy-cerbos-to-cloud-run-is-exposing-cerb ā€¢ https://github.com/cerbos/cerbos/discussions/1626 Let me know if you need further clarifications
c

Chris Arderne

06/23/2023, 10:49 AM
So if I understand correctly, using JWT in the config won't actually block non-JWT requests, it's purely for convenience?
Is it on your roadmap to enable
401
'ing requests with no/bad jwt?
r

Rasmus Dencker

06/23/2023, 10:51 AM
the result will always be DENY if the jwt isn't valid afaik
c

Charith (Cerbos)

06/23/2023, 10:53 AM
The JWT config in Cerbos is not for restricting access to the API. It's an additional data source you can use to write policy rules. If your authenticated users have some of their attributes already stored in a JWT, then you can forward that to Cerbos and avoid having to manually copy those attributes to the
principal.attributes
of the API request. https://docs.cerbos.dev/cerbos/latest/policies/conditions.html#auxdata
c

Chris Arderne

06/23/2023, 11:36 AM
Just did a quick test and sending an invalid JWT responded with
400
Copy code
{
  "code": 3,
  "message": "failed to extract auxData"
}
That's good enough for me! At least we'll have some clarity around bogus requests and whatnot. It would be great if we could other non-essential endpoints in production (eg the html docs, swagger.json) but I recognise this isn't much of a security concern... šŸ™‚
Quick follow-up question! Is there to way to use symmetric HS256 keys (our keys are signed server-side) or is it asymmetric only? (Did my test with RS256 and docs seem to suggest that's the only supported method.) (Won't really be a problem, just curious!)
c

Charith (Cerbos)

06/23/2023, 12:01 PM
I haven't tested that but it should be possible. All the standard JWT algorithms are supported.
c

Chris Arderne

06/23/2023, 12:01 PM
I ask because it wants a JWK, and I'm not sure it's possible to create a JWK for a symmetric HS key...
c

Charith (Cerbos)

06/23/2023, 12:05 PM
You could provide a PEM file as well.
c

Chris Arderne

06/23/2023, 12:42 PM
Do you have any advice on how this might work? Have just tried with an Auth0 HS key and PEM but I get
Copy code
"error":"failed to parse JWT: key provider 0 failed: failed to find matching key: no key ID (\"kid\") specified in token"
Which isn't surprising, since an HS key doesn't have a
kid
Header...
c

Charith (Cerbos)

06/23/2023, 1:09 PM
Apologies for the confusion. I checked the code and it appears that we can't parse tokens that don't have a
kid
.
c

Chris Arderne

06/23/2023, 1:52 PM
No problem, thanks for the pointers @Charith (Cerbos)! We'll figure out a workaround.
7 Views