a

    Alberto Cunha

    1 week ago
    Hello! I´m trying to JWT token on cerbos with auxData. I´m using Strapi as backend and I´m actually thinking if this is really necessary, as the true access control will happen on backend. The front end will only block rendering of some components.
    Dennis (Cerbos)

    Dennis (Cerbos)

    1 week ago
    Hi Alberto! Which authentication system are you using? I mean, who has issued the JWT token? Auth0?
    a

    Alberto Cunha

    1 week ago
    It is Strapi. I´m using Google Auth as a strapi provider, to be more specific.
    Dennis (Cerbos)

    Dennis (Cerbos)

    1 week ago
    Thanks. I’ll check it out. It seems the root cause of the error is that Cerbos expects JSON Web Key Sets in the configuration, but it is given a base64 encoded secret.
    Charith (Cerbos)

    Charith (Cerbos)

    1 week ago
    @Alberto Cunha Cerbos needs a base64-encoded JSON Web Key (JWK). The secret you have in your configuration is
    your-256-bit-secret
    which is not a valid JWK and I suspect that it's a placeholder value from the documentation -- not the real key. I am not familiar with Strapi so I can't really help you with the particular details of that. Usually, the JWK is exposed by the issuing server at the path
    /.well-known/jwks.json
    a

    Alberto Cunha

    1 week ago
    Thanks Clarith! I think you are right. It was my utter ignoranc how JWKS work. I was just grabbing that JWT secret, encoding it with base64 and adding it to Carbos auxData. Strapi wont create a jwks file but I´ll try to do it manually
    Just to give back some feedback. I was able to validate the token, but I had to make some changes to strapi. Strapi uses a HS256 algo and I had to add "kid" key to the token header, on strapi´s plugin config. Thanks for the insight
    The most obscure problem is that for a jwtsecret in strapi, cerbos expects JWKS "k" to be enconded on base64. Also, i´m still having a new problem. I´m having getting this error: "failed to parse JWT: "iat" not satisfied" on the first requests, but then it works. I think something to do differences in timing between servers, although they are in my computer. Anyway, thanks @Dennis (Cerbos) and @Charith (Cerbos) for the insight and help! The problem is SOLVED