JWT_SECRET doesn't work in other cases
shivashishratnam opened this issue · 3 comments
I see this repo works completely fine when I used JWT_SECRET="secret" & authenticate using CURL command/ in the Web URL by the token which is in Read.me file.
But, then there is a scenario, I have JWT token ready with me & I validated it on jwt.io using JWKS JSON key. I tried to copy JWKS key & hardcode as of now in place of JWT_SECRET just to make sure everything works fine. But then when I hit the url with ?token=<JWT_TOKEN>, it's showing me Decode Secret is not a valid cert/public key & I am not able to validate this.
Is there any way, I can use JWT_SECRET in my own & validate with the JWT_TOKEN to be sure this repo works with custom secrets & all.
Please let me know how can I generate random secret key against a token or something else. My main goal is to validate against the JWT token I have currently.
The provided example only shows how to do symmetric key HSA verification, but sounds like you need to use RSA verification of an asymmetric keypair from your JWKS JSON key file.
It seems possible, the steps would be something like:
- Extract the keypair from the JWKS JSON file into PEM files using some tool
- Read the lua-resty-jwt test script example to see how to load/verify using a public key
- Edit bearer.lua and change line 40 to verify using the key after you load it or paste it in
There may be easier ways to do this using newer tools too, I haven't touched this repo in years so YMMV. Please update and close the ticket with whatever you find, thanks.
Cheers!
This happens when pubKey is not hardcoded in a proper format.
It would work when
local pubKey = [[-----BEGIN PUBLIC KEY
--------END PUBLIC KEY ]]
Moreover the best approach would be to read it from file & compare with JWT Token,