https://cerbos.dev logo
Join Slack
Powered by
Using Cerbos from client code (server exposed to w...
# community
c
Using Cerbos from client code (server exposed to web over HTTP)
Just got set up with Cerbos, super quick and easy, very impressed. Thanks for the great docs šŸ™‚ For our experiment we're using it from frontend code using the 
HTTP
module. This obviously means that the Cerbos server is exposed to the public internet. I'm a bit uncomfortable with this, but you support this pattern so I thought there must be some sense to it!
Only one question really, I assume JWT is the only method available for security on the HTTP endpoint?
c
Hey, I'll point you to a couple of replies to similar questions: ā€¢ https://community.cerbos.dev/t/11199074/hi-i-m-trying-to-deploy-cerbos-to-cloud-run-is-exposing-cerb ā€¢ https://github.com/cerbos/cerbos/discussions/1626 Let me know if you need further clarifications
c
So if I understand correctly, using JWT in the config won't actually block non-JWT requests, it's purely for convenience?
Is it on your roadmap to enable 
401
'ing requests with no/bad jwt?
r
the result will always be DENY if the jwt isn't valid afaik
c
The JWT config in Cerbos is not for restricting access to the API. It's an additional data source you can use to write policy rules. If your authenticated users have some of their attributes already stored in a JWT, then you can forward that to Cerbos and avoid having to manually copy those attributes to the 
principal.attributes
of the API request. https://docs.cerbos.dev/cerbos/latest/policies/conditions.html#auxdata
c
Just did a quick test and sending an invalid JWT responded with 
400
Copy code
{
  "code": 3,
  "message": "failed to extract auxData"
}
That's good enough for me! At least we'll have some clarity around bogus requests and whatnot. It would be great if we could other non-essential endpoints in production (eg the html docs, swagger.json) but I recognise this isn't much of a security concern... šŸ™‚
Quick follow-up question! Is there to way to use symmetric HS256 keys (our keys are signed server-side) or is it asymmetric only? (Did my test with RS256 and docs seem to suggest that's the only supported method.) (Won't really be a problem, just curious!)
c
I haven't tested that but it should be possible. All the standard JWT algorithms are supported.
c
I ask because it wants a JWK, and I'm not sure it's possible to create a JWK for a symmetric HS key...
c
You could provide a PEM file as well.
c
Do you have any advice on how this might work? Have just tried with an Auth0 HS key and PEM but I get
Copy code
"error":"failed to parse JWT: key provider 0 failed: failed to find matching key: no key ID (\"kid\") specified in token"
Which isn't surprising, since an HS key doesn't have a 
kid
Header...
c
Apologies for the confusion. I checked the code and it appears that we can't parse tokens that don't have a 
kid
.
c
No problem, thanks for the pointers @Charith (Cerbos)! We'll figure out a workaround.
7 Views
Open in Slack
PreviousNext
Powered by