TeslaGov/ngx-http-auth-jwt-module

failed to parse JWT, error code 22

alankar23 opened this issue · 6 comments

Hi, I am trying to implement HS256 based validation. But Iam getting 401 and
failed to parse JWT, error code 22, client: 192.168.1.10, server: , request: "GET /api/1 HTTP/1.1", host: "192.168.1.17" in error logs.

My conf looks like this

server {
    listen       80;
        error_log /var/log/nginx/error-1.log debug;
        access_log /var/log/nginx/access-1.log main_ext;
        auth_jwt_enabled on;
        auth_jwt_key "jXnZr4u7x!A%D*G-KaPdSgVkYp3s5v8y";
        auth_jwt_algorithm HS256;

location / {
    proxy_pass http://localhost:808/dev;
}}

Any help would be really appreciated.

Almost the same here, but with HS256:

      auth_jwt_enabled on;
      auth_jwt_algorithm RS256;
      auth_jwt_use_keyfile on;
      auth_jwt_keyfile_path "xxxxxxx";

I have the same problem. Please tell me the correct settings.
failed to parse JWT, error code 22
nginx 1.18
https://stackoverflow.com/questions/75891325/nginx-jwt-validation-failed-to-parse-jwt

To resolve the issue, I encoded the key in binhex format for nginx and use decoded key to generate the token.

To resolve the issue, I encoded the key in binhex format for nginx and use decoded key to generate the token.

could you write a short instruction on how you did it? thank you for help

binhex is not encryption and this token is essentially plaintext. The fact that is only exists on the server side makes that less of an issue, but it's not a good idea to do it this way.

What @JohnPeacock said is correct, allow me to elaborate.

The fact that is only exists on the server side makes that less of an issue, but it's not a good idea to do it this way.

This is only an issue when using the auth_jwt_key directive -- which indeed does require that the key be provided in binhex format. This is pointed out in the README but we will make it a more clear by calling it out directly in the directives table.

Here is a tool you may use to convert text to/from binhex: http://bin-hex-converter.online-domain-tools.com


If you do not want to include an almost-plain-text key in your NGINX config, please use these alternate directives e.g.:

auth_jwt_use_keyfile on;
auth_jwt_keyfile_path "/path/to/pub_key.pem";