Sarim Janjua
10/04/2023, 2:35 PM"error":"failed to extract JWT: failed to parse JWT: could not verify message using any of the signatures or keys"}
It was my understanding that Cerbos supported all standard signature types? Not sure if I'm doing something wrong with my configuration.
I'm currently using Cerbos version 0.30.0 but have also tried this with 0.29.0 with the same result.Charith (Cerbos)
Charith (Cerbos)
Sarim Janjua
10/04/2023, 3:15 PMSarim Janjua
10/04/2023, 3:20 PMCharith (Cerbos)
kid
and alg
claims are correctly set?Sarim Janjua
10/04/2023, 3:31 PMSarim Janjua
10/04/2023, 3:33 PMCharith (Cerbos)
Sarim Janjua
10/04/2023, 3:35 PMSarim Janjua
10/04/2023, 3:36 PMCharith (Cerbos)
Charith (Cerbos)
echo "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzM4NCIsImtpZCI6IjBlMDg2ZDNjNGZmZDRkNTk1NjI2ZDBmYThkMWI5ODdkIn0.eyJhdWQiOiJodHRwOi8vY2VyYm9zLmRldi90ZXN0In0.iSxFzqipi_9mgGg6PgS84PmwF--mX6Xb62yQCh07__IYWfsv_0MrOXjHl8ftb3paVXuCqE02Oo6DHt3UKPZZzhKF1o9bsYMlOuc7L-1tFeHeMbs9vvfVbJX8mkcroNZ0eXruS4Y51sqQ2FF_rlqA9cbYL4-ilpb4tvkxuZVkBSa1CQ3s_KHIGYy0t1bJxANq51dsGshm74VYSzX7hrLizH27cd81AG_uWnLf3SVQQBkKJfIkX23EmBVNq4L1U8jdd9Y-lFbYnQyt1bJSaP-mFJV09eyPByjYpWzj_-o1Pell-T0Tt48TvL1wfiN7H1eKoZZLuFOzwsselsEMzi9N245IlXhZTkvFbeRC_HQDActoW8cU4JOSLCghsafB3EAYL4l8ipBxg4X1u6SwbdN4i4F604XEVLFwZZUdOm7zbjN0Jl0hnE0hIsYN1kJL8YzHKuEjkqJsNpzACjz3eRsj_wDiJN6-vTad1XSvviNESorIc2r1DTThsSxOAhEZtSHh
" | jwx jws verify --alg=RS384 --key=key.jwk -
Sarim Janjua
10/04/2023, 4:40 PMSarim Janjua
10/04/2023, 4:41 PMSarim Janjua
10/04/2023, 5:02 PMCharith (Cerbos)
Sarim Janjua
10/04/2023, 5:06 PMecho "eyJhbGciOiJSUzM4NCIsImprdSI6Imh0dHBzOi8vdmVuZG9yc2VydmljZXMuZXBpYy5jb20vaW50ZXJjb25uZWN0LWFtY3VycHJkLW9hdXRoL2FwaS9lcGljLzIwMTkvU2VjdXJpdHkvT3Blbi9QdWJsaWNLZXlzLzUzMDAxMy81MzAwMTMiLCJraWQiOiJkM2JtbzVIelc2MVRVZ2lrSFpIK0E4VHg0VU9YejJpT3M0S3ZWVTRlTFkwPSIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL3BsYXRmb3JtZGV2LnNtY3BhcnRuZXJzLmNvbS9wbGF0Zm9ybS9jb25uZWN0ZWQtY2FyZS9lcGljLWNkcy1ob29rcy9jZHMtc2VydmljZXMvY29uZGl0aW9ucyIsImV4cCI6MTY5NjQzOTYzMSwiaWF0IjoxNjk2NDM4NzMxLCJpc3MiOiJodHRwczovL3ZlbmRvcnNlcnZpY2VzLmVwaWMuY29tL2ludGVyY29ubmVjdC1hbWN1cnByZC1vYXV0aC9hcGkvRkhJUi9SNCIsImp0aSI6ImNhN2VjNWZkLWVmNjYtNGMxMi04MWMzLTI4NzJiY2I0NDMzOSIsIm5iZiI6MTY5NjQzODQzMSwic3ViIjoiNWJiZDVjZTYtYTdiNS00Y2ZkLTljZmQtNjg2ODFhYWE1MjM5In0.HjQqL-IDc8HJgBRIiqx6hQvL8V8fAZq4pD37X1rYet5jdeso7XlawdMeBR3nhi2UhyIOQRqelDHUcWVqpNDaz6Yx9xuhAdM_cX9Bji3RnV2m9VSQyT5R_all2Ptish3TWWwXaL-mjchzD-4BWhmMlhe8-vWIDc4eVa4X7M-bN3vRgo9ahQtdmt_W3y4yWVEmMWdPTHdffXun3e7E9EFre9cP7PoSr9ctxvJ3S2xo8Zu-mBs_yZVDFPgaUgCPXBooG9OI-aiK1BC_HjTPpyUdI-UgQ70bCaOpEUq88gk4RxK-c68yLuVFkFcMh5-dfUEr0k9jhii_kfF6ATMRVKUWpA" | jwx jws verify --alg=RS384 --key=keys.json -
And got this as the output:
{"aud":"<https://platformdev.smcpartners.com/platform/connected-care/epic-cds-hooks/cds-services/conditions>","exp":1696439631,"iat":1696438731,"iss":"<https://vendorservices.epic.com/interconnect-amcurprd-oauth/api/FHIR/R4>","jti":"ca7ec5fd-ef66-4c12-81c3-2872bcb44339","nbf":1696438431,"sub":"5bbd5ce6-a7b5-4cfd-9cfd-68681aaa5239"}%
Charith (Cerbos)
Sarim Janjua
10/04/2023, 5:07 PMSarim Janjua
10/04/2023, 5:08 PMCharith (Cerbos)
Sarim Janjua
10/04/2023, 5:10 PMSarim Janjua
10/04/2023, 5:10 PMCharith (Cerbos)
Sarim Janjua
10/04/2023, 5:36 PMCharith (Cerbos)
Sarim Janjua
10/04/2023, 5:54 PMCharith (Cerbos)
alg
field. It's optional in the spec but, due to security issues that have arisen from it, most implementations do require it to be present. When I manually added alg: "RS384"
to the key, Cerbos was able to parse the token successfully.Charith (Cerbos)
alg
field to it?Sarim Janjua
10/05/2023, 1:40 PMalg
field of the token instead of the key if it's missing?Sarim Janjua
10/05/2023, 1:43 PMCharith (Cerbos)
<http://ghcr.io/cerbos/cerbos:dev|ghcr.io/cerbos/cerbos:dev>
. I'll let you know when it's available.Sarim Janjua
10/05/2023, 1:49 PMSarim Janjua
10/05/2023, 2:08 PMdev
tag and I'm getting an error saying that the insecure
field is not recognized. Here's my auxData
config:Charith (Cerbos)
dev
image has not been published yet 🙂Sarim Janjua
10/05/2023, 2:09 PMCharith (Cerbos)
Charith (Cerbos)
docker pull <http://ghcr.io/cerbos/cerbos:dev|ghcr.io/cerbos/cerbos:dev>
to refresh the cache.Sarim Janjua
10/05/2023, 2:30 PMSarim Janjua
10/05/2023, 2:54 PMCharith (Cerbos)
Sarim Janjua
10/05/2023, 2:56 PMCharith (Cerbos)
Sarim Janjua
10/05/2023, 2:59 PM