Title
#help
a

Alberto Cunha

09/14/2022, 8:31 PM
Hello! I´m trying to JWT token on cerbos with auxData. I´m using Strapi as backend and I´m actually thinking if this is really necessary, as the true access control will happen on backend. The front end will only block rendering of some components.
Dennis (Cerbos)

Dennis (Cerbos)

09/14/2022, 9:45 PM
Hi Alberto! Which authentication system are you using? I mean, who has issued the JWT token? Auth0?
a

Alberto Cunha

09/14/2022, 10:28 PM
It is Strapi. I´m using Google Auth as a strapi provider, to be more specific.
Dennis (Cerbos)

Dennis (Cerbos)

09/14/2022, 10:39 PM
Thanks. I’ll check it out. It seems the root cause of the error is that Cerbos expects JSON Web Key Sets in the configuration, but it is given a base64 encoded secret.
Charith (Cerbos)

Charith (Cerbos)

09/15/2022, 7:47 AM
@Alberto Cunha Cerbos needs a base64-encoded JSON Web Key (JWK). The secret you have in your configuration is
your-256-bit-secret
which is not a valid JWK and I suspect that it's a placeholder value from the documentation -- not the real key. I am not familiar with Strapi so I can't really help you with the particular details of that. Usually, the JWK is exposed by the issuing server at the path
/.well-known/jwks.json
a

Alberto Cunha

09/15/2022, 4:03 PM
Thanks Clarith! I think you are right. It was my utter ignoranc how JWKS work. I was just grabbing that JWT secret, encoding it with base64 and adding it to Carbos auxData. Strapi wont create a jwks file but I´ll try to do it manually
7:25 PM
Just to give back some feedback. I was able to validate the token, but I had to make some changes to strapi. Strapi uses a HS256 algo and I had to add "kid" key to the token header, on strapi´s plugin config. Thanks for the insight
7:37 PM
The most obscure problem is that for a jwtsecret in strapi, cerbos expects JWKS "k" to be enconded on base64. Also, i´m still having a new problem. I´m having getting this error: "failed to parse JWT: "iat" not satisfied" on the first requests, but then it works. I think something to do differences in timing between servers, although they are in my computer. Anyway, thanks @Dennis (Cerbos) and @Charith (Cerbos) for the insight and help! The problem is SOLVED