Guardian error when creating jwt token

zoedsoupe · February 15, 2023, 6:59pm

I have this Guardian module:

defmodule Sntx.Guardian do
  use Guardian, otp_app: :sntx

  alias Sntx.Repo
  alias Sntx.User.Account

  def subject_for_token(user, _claims) do
    sub = to_string(user.id)
    {:ok, sub}
  end

  def resource_from_claims(claims) do
    user = Repo.get(Account, claims["sub"])
    {:ok, user}
  end

  def after_encode_and_sign(resource, claims, token, _options) do
    with {:ok, _} <- Guardian.DB.after_encode_and_sign(resource, claims["typ"], claims, token) do
      {:ok, token}
    end
  end

  def on_verify(claims, token, _options) do
    with {:ok, _} <- Guardian.DB.on_verify(claims, token) do
      {:ok, claims}
    end
  end

  def on_refresh({old_token, old_claims}, {new_token, new_claims}, _options) do
    with {:ok, _, _} <- Guardian.DB.on_refresh({old_token, old_claims}, {new_token, new_claims}) do
      {:ok, {old_token, old_claims}, {new_token, new_claims}}
    end
  end

  def on_revoke(claims, token, _options) do
    with {:ok, _} <- Guardian.DB.on_revoke(claims, token) do
      {:ok, claims}
    end
  end
end

Then, if I try to execute Sntx.Guardian.encode_and_sign(%{id: "123"}) I receive this error:

** (CaseClauseError) no case clause matching: 43
    (jose 1.11.5) src/base/jose_base64url.erl:136: :jose_base64url."-decode!/2-lbc$^0/2-0-"/2
    (jose 1.11.5) src/base/jose_base64url.erl:136: :jose_base64url.decode!/2
    (jose 1.11.5) src/jwk/jose_jwk_kty_oct.erl:50: :jose_jwk_kty_oct.from_map/1
    (jose 1.11.5) src/jwk/jose_jwk.erl:304: :jose_jwk.from_map/1
    (jose 1.11.5) lib/jose/jwk.ex:140: JOSE.JWK.from_map/1
    (guardian 2.3.1) lib/guardian/token/jwt.ex:272: Guardian.Token.Jwt.create_token/3
    (guardian 2.3.1) lib/guardian.ex:776: Guardian.returning_tuple/1
    (guardian 2.3.1) lib/guardian.ex:602: Guardian.encode_and_sign/4

I’m really confused about this error. Any idea that what this means?

zoedsoupe · February 15, 2023, 7:00pm

There is a public repo here: GitHub - zoedsoupe/sntx, on branch feature/blog-posts

al2o3cr · February 15, 2023, 7:18pm

The basic cause is that a + character (byte value 43) appears in a string that :jose_jwk.from_map/1 treats as encoded in URL-safe Base64, which doesn’t allow that character. That behavior is directly from the specification for kty = oct.

The root cause is that this incorrectly-encoded value is being set in config/config.exs from an environment variable: sntx/config.exs at feature/blog-posts · zoedsoupe/sntx · GitHub

adamu · February 16, 2023, 2:08am

Not directly answering your question, but just in case

zoedsoupe · February 16, 2023, 7:05pm

Oh thank you! I generated the token with mix guardian.gen.secret but it seem was generated with a + char!

al2o3cr · February 16, 2023, 8:00pm

Yeah, that’s a tricky one - the sets of characters used by encode64 and url_encode64 are nearly the same, so you got a bad roll of the dice.

I created an issue on Guardian to address / document this:

github.com/ueberauth/guardian

Generating a JWT with kty=oct can fail because of incorrect Base64 encoding

opened 07:53PM - 16 Feb 23 UTC

al2o3cr

### Steps to Reproduce 1. Generate a secret using `mix guardian.gen.secret` 2.… Set that secret for use with JWTs with `secret_key: %{"k" => System.get_env("THAT_SECRET_KEY"), "kty" => "oct"}` 3. Try signing a key ### Expected Result It should work. :) ### Actual Result Sometimes, the generated secret has a `+` in it [which isn't allowed according to the spec](https://www.rfc-editor.org/rfc/rfc7518.html#section-6.4) and crashes the URL-safe base64 decoder. The root cause is the use of `Base.encode64` in [`guardian.gen.secret`](https://github.com/ueberauth/guardian/blob/master/lib/mix/tasks/guardian.gen.secret.ex#L30). Switching that to `Base.url_encode64` would solve _this_ issue but probably break something else... Additional backstory and discussion [in this Elixir Forum thread](https://elixirforum.com/t/guardian-error-when-creating-jwt-token/53924); thanks to the original poster for bringing this up.