Hello I m trying to JWT token on cerbos with auxData I m usi Cerbos Community #help

Hello! I´m trying to JWT token on cerbos with auxD...

Alberto Cunha

09/14/2022, 8:31 PM

Hello! I´m trying to JWT token on cerbos with auxData. I´m using Strapi as backend and I´m actually thinking if this is really necessary, as the true access control will happen on backend. The front end will only block rendering of some components.

Dennis (Cerbos)

09/14/2022, 9:45 PM

Hi Alberto! Which authentication system are you using? I mean, who has issued the JWT token? Auth0?

Dennis (Cerbos)

09/14/2022, 9:48 PM

Or is it Strapi itself as per https://docs.strapi.io/developer-docs/latest/plugins/users-permissions.html#jwt-configuration?

Alberto Cunha

09/14/2022, 10:28 PM

It is Strapi. I´m using Google Auth as a strapi provider, to be more specific.

Alberto Cunha

09/14/2022, 10:31 PM

Here is a description how it is implemented: https://docs.strapi.io/developer-docs/latest/plugins/users-permissions.html#providers

Dennis (Cerbos)

09/14/2022, 10:39 PM

Thanks. I’ll check it out. It seems the root cause of the error is that Cerbos expects JSON Web Key Sets in the configuration, but it is given a base64 encoded secret.

Charith (Cerbos)

09/15/2022, 7:47 AM

@Alberto Cunha Cerbos needs a base64-encoded JSON Web Key (JWK). The secret you have in your configuration is

your-256-bit-secret

which is not a valid JWK and I suspect that it's a placeholder value from the documentation -- not the real key. I am not familiar with Strapi so I can't really help you with the particular details of that. Usually, the JWK is exposed by the issuing server at the path

/.well-known/jwks.json

Alberto Cunha

09/15/2022, 4:03 PM

Thanks Clarith! I think you are right. It was my utter ignoranc how JWKS work. I was just grabbing that JWT secret, encoding it with base64 and adding it to Carbos auxData. Strapi wont create a jwks file but I´ll try to do it manually

Alberto Cunha

09/15/2022, 7:25 PM

Just to give back some feedback. I was able to validate the token, but I had to make some changes to strapi. Strapi uses a HS256 algo and I had to add "kid" key to the token header, on strapi´s plugin config. Thanks for the insight

Alberto Cunha

09/15/2022, 7:37 PM

The most obscure problem is that for a jwtsecret in strapi, cerbos expects JWKS "k" to be enconded on base64. Also, i´m still having a new problem. I´m having getting this error: "failed to parse JWT: \"iat\" not satisfied" on the first requests, but then it works. I think something to do differences in timing between servers, although they are in my computer. Anyway, thanks @Dennis (Cerbos) and @Charith (Cerbos) for the insight and help! The problem is SOLVED

3 Views

Open in Slack

Previous Next