It is difficult to know how you’ve signed your token. Though this token has a different “kid” claim on its header than the one your passing for JOSE.JWK.from_map/1.
Does this help? The kid on the token is: ttY6v6AGiOqL+ZaDvyg953iG7RWLTwDVq9+cOa1hrZE=\
Is the technique above the correct way to create a Joken.Signer?
Decode the AWS key set JSON into an Elixir map
Create a JOSE.JWK key set
Create a Joken.Signer from the JOSE.JWK
I cannot see any other technique to create the Joken.Signer except to read the provided AWS key set JSON and observe that both keys in the set list RS256 as the encryption. Then hard code that by using Joken.rs256().
Is it best if we extract the AWS key with the correct kid from the set before creating the JOSE.JWK? (I think that is what @reneerojas has tried.)
I had to do something similar with Auth0, I ended up just using JOSE directly instead of Joken though.
But anyway, it looks like what you’re missing to me is the fact that the jwks is actually a key set. Meaning you need to get your token from the list before you try to verify. Assuming you only have one key then this should probably do it:
[jwk | _] = JOSE.JWK.from_map(awsJwks)
If not, this is the crazy function that I ended up getting to:
defp jwks_from_binary(jwks_binary) do
with {:ok, map} <- Poison.decode(jwks_binary),
{:ok, keys} when is_list(keys) <- Map.fetch(map, "keys"),
jwks_list when is_list(jwks_list) <- Enum.map(keys, &JOSE.JWK.from_map/1),
jwks when is_list(jwks) <- JOSE.JWK.from(jwks_list) do
{:ok, jwks}
else
_ ->
{:error, :invalid_jwks}
end
end
@Azolo Yeah, the Auth0 JWK set is exactly the same format as the AWS set, so I think we need your function, thanks! How are you verifying after extracting the key? Using Joken for that?
Well you’re supposed to use the data in the JWT to get the name of the key in the jwks, but I was pretty frustrated at that point, so I just did:
defp check_against_jwks(token, jwks) do
Enum.any?(jwks, fn(jwk) ->
case JOSE.JWT.verify_strict(jwk, ["RS256"], token) do
{true, _, _} -> true
_ -> false
end
end)
end
I’ve stumbled upon the same issue - thanks for the useful answers, which pointed me the right way
I actually took it a little further and got it integrated with Joken:
’ “forked” Joken.Plug and modified line 174 to pass the connection: verified_token = payload_fun.(conn) (see https://github.com/bryanjos/joken/blob/master/lib/joken/plug.ex#L174) Let’s call it Youproject.modifiedJokenPlug
Adjust your router’s verify_function to take on argument: def verify_function(conn) do
and your plug: plug Youproject.modifiedJokenPlug, verify: &Youproject.Router.verify_function/1 (don’t forget, you cb now takes one argument, so it’s /1)
With the connection in the verify function, it is possible to get the claims on the JWT as follows:
["Bearer " <> bearer] = get_req_header(conn, "authorization")
{:ok, claims} = bearer
|> String.split(".")
|> hd
|> Base.decode64!
|> Poison.decode
# claims["kid"] and claims["alg"] are now populated
Load the list of keys (with HTTPoison / auth0 in my case)
matchingKey = Enum.find(keylist["keys"], fn(x) -> x["kid"] == claims["kid"] && x["alg"] == claims["alg"] end)
key = hd(matchingKey["x5c"]) # I assume, the first key in the certificate chain is also the signing one
Format the signing key so Joken understands it (as PEM, using JOSE, going by Joken’s docs here):
a = "-----BEGIN CERTIFICATE-----"
z = "-----END CERTIFICATE-----"
parts = key
|> Stream.unfold(&String.split_at(&1, 64)) # 64 Characters per line
|> Enum.take_while(&(&1 != "")) # Get all remaining chars as well
fkey = a <> "\n" <> Enum.join(parts, "\n") <> "\n" <> z <> "\n" # Join it all to form the PEM
q = JOSE.JWK.from_pem(fkey) # And finally get the signer
Return the verifier
%Joken.Token{}
|> with_json_module(Poison)
|> with_signer(rs256(q))
|> with_validation("aud", &(&1 == "<expected audience>" || Enum.member?(&1, "<expected audience>"))) # Audience claim can be an array, e.g. if you query it for your application while quering profile as well # CHANGE AUDIENCE
|> with_validation("exp", &(&1 > current_time))
|> with_validation("iat", &(&1 <= current_time))
|> with_validation("iss", &(&1 == "https://someone.locale.auth0.com/")) # CHANGE URL
I know it has been more than 3 years, but in case someone ends up here, yes, it’s much simpler with Joken 2.5 with the help of a Joken hook called Joken JWKS.