Joken: Using Joken.verify

troubleshooting

#1

Hi!

Trying to verify with a RS256 public key like this:

mytoken = token(URL-CALL)
key = "PUBLIC KEY"
mytoken |> with_signer(rs256(%{k: key})) |> verify

And always failing. Plainly I am misunderstanding something (and/or just stupid! grin!)

Thoughts?

Quentin


#2

HI @czrpb! Joken co-maintainer here.

RSXXX algorithms are based on asymmetric cryptography (a pair of public and private keys). The parameters needed for the keys are different than simply {k: "KEY"}. As an example, look into Joken’s tests. Here is one fixture we use in the test base:

  def rsa_key do
    %{"d" => "A2gHIUmJOzRGvklIA2S8wWayCXnF8NYAhOhu7woSwjioO3HRzvd3ptegSKDpPfABJuzhy7y08ug5ZcyFbN1hJBVY8NwNzpLSUK9wmXekrbTG9MT76NAiQTxV6fYK5DXPF4Cp0qghBt-tq0kQNKx4q9QEzLb9XonmXE2a10U8EWJIs972SFGhxKzf6aq6Ri7UDK607ngQyEhVmGxr3gDJLAGQ5wOap5NYIL2ufI5FYqH-Sby_Qk7299b-w4B0fl6u8isR8OlpwMLVnD-oqOBPH-65tE82hxPV0QbSmyzmg9hlVVinJ82YRBkbcu-XG9XXOhUqJJ7kafQrYkQx6BiFKQ",
      "dp" => "Useg361ca8Aem1TToW8AfjOLAAEqkkR48UPMSS2Le9D4YFtAb_ud5CK2IevYl0R-4afXUzIoeiNRg4bOTAWmTwKKlmAp4B5GzlbPzAPhwQRCxzs5MiW0K-Nw30blBLWlJYDAnVEr3T3rqtgzXFLMhR5AHqM4VhWQK7QaxgaW7TE",
      "dq" => "yueW-DmyJULJlJckFXfkivSO_X1sjQurDwDfyFLAnrvgy2EqJ-iq0gBVySMGw2CgeSQegTmuKinF4anL0wy85BK8tgxDULVOpjls4ej8ZQnJ2RVEjdxZLjKh-2yw-v6mbn7goko98nkRCBYMdDUBHNVcaY9bA8kdBWi-K6DgW2E",
      "e" => "AQAB",
      "kty" => "RSA",
      "n" => "xnAUUvtW3ftv25jCB-hePVCnhROqH2PACVGoCybdtMYTl8qVABAR0d6T-BRzVhJzz0-UvBNFUQyVvKAFxtbQUZN2JgAm08UJrDQszqz5tTzodWexODdPuoCaWaWge_MZGhz5PwWd7Jc4bPAu0QzSVFpBP3CovSjv48Z2Eq0_LHXVjjX_Az-WaUh94mXFyAxFI_oCygtT-il1-japS3cXJJh0WddT3VKEBRYHmxDJd_LYE-KXQt3aTDhq0vI9sG2ivtFj0dc3w_YBdr4hlcr42ujSP3wLTPpTjituwHQhYP4j-zqu7J3FYaIxU4lkK9Y_DP27RxffFI9YDPJdwFkNJw",
      "p" => "5cMQg_4MrOnHI44xEs6Jyt_22DCvw3K-GY046Ls50vIf2KlRALHI65SPKfVFo5hUuHkBuWnQV46tHJU0dlmfg4svPMm_581r59yXeI8W6G4FlsSiVyhFO3P5Q5ubVs7MNaqhvaqqPqR14cVvHSqjwX5jGuGAVuLhnOhZGbtb7_U",
      "q" => "3RlGNrCRU-yV7TTikKJVJCIpe8vgLBkHQ61iuICd8AyHa4sXICgf2YBFgW8CAJOHKIp8g_Nl94VYpqWvN1YVDB7sFUlRpJL2yXvTKxDzUwtM5pf_D1O6lGEMQBRY-buhZHmPf5qG93LnsSqm5YOZGpZ6t6gHtYM9A6JOIgwsYys",
      "qi" => "kG5Stetls18_1fvQx8rxhX2Ais0Xg0gLDUjpE_9TYcb-utq79HVKOQ_2PJGz09hQ_teqnhXhgGMubqaktl6UOSJr6B4JgcAY7yU-34EuSxp8uKLix9BVsF2cpiC4ADhjLKP9c7IQ7X7zfs336_Reb8fh9G_zRdwEfmqFy7m28Lg"}
  end

Probably what you have is a couple PEM files that encodes all this information (jwt.io shows the content of such files for testing). You can parse this file using the embedded public_key erlang application or use one of the facilities of JOSE (that we depend on) like JOSE.JWK.from_pem_file/1.


#3

Hi @cs-victor-nascimento !

Awesome reply! I still trying to work it through. In my case, all I have is the public key with which to verify (no file, accessible via an endpoint).

Hopefully I will figure it out and wont have to bug you again! :wink:

Quentin


#4

No worries! There are other utilities for reading the PEM content from binaries on the same module. Maybe they can help you better.

Regards,


#5

@cs-victor-nascimento

Looks like I finally got it!

# Get our's system's token
token = URL.token(host)                                                             
                                                                                    
# Get our's system's public key
public_key = URL.public_key(host)                                                   

# Make it a Joken token                                                                                        
token = Joken.token(token)                                                          

# Verify token with public key                                                                                                                                                                               
with_signer = token |> Joken.with_signer(Joken.rs256(JOSE.JWK.from_pem(public_key)))
{:ok, claims} = with_signer |> Joken.verify!                                        
IO.puts("#{inspect claims}")                                                        

Thx for the pointers!! If there is some user oriented docs I missed reading, would love to read them!

Thx for the tool! :smile:

Quentin


Joken: Verify AWS Cognito JWT
#6

Nice to hear it worked for you!

I’ve talked a bit wiht Bryan Joseph about refactoring some things but still haven’t got the time to do it. Will probably add a section about asymmetric cryptography there though!

Cheers