Signing a JWT?

Does anyone have a full working example of signing JWTs? I guess this is partly a question about the process too… this is related to earlier work I did (and this other post).

When you complete a sign-in with Google, you are given a JWT. You can can look up the PEM that was used to sign the key at https://www.googleapis.com/oauth2/v1/certs

And that can be used to verify that the JWT has not been tampered with.

From

There’s this Elixir example:

key = 'the shared secret key here'
message = 'the message to hash here'

signature = :crypto.hmac(:sha256, key, message)

# to lowercase hexits
Base.encode16(signature, case: :lower)

When you’re dealing with a JWT, the message is a Base64 encoding of the JSON header + the JSON claims. But what’s the key in this scenario? When Google lets us query its PEM, what is in that PEM? Is it a private key? A public key? Or a combination? And what gets used to sign the JWT?

I’m writing tests around this stuff, so I need to be able to generate a public + private key, convert them (or one of them?) to PEM format, and then properly sign the key so that the JWT can be properly checked.

Hey @fireproofsocks it’s a private key. Here is code I wrote to validate JWT keys against google firebase pem. You can probably refactor it to grab pems from somewhere else.

First, I had a genserver which, on boot, would fetch the keys from Google and put them in ets:

def request_keys(_) do
    url = keys_url()

    {:ok, 200, headers, body} = :hackney.request(:get, url, [], "", [:with_body])

    {_, cache_control} =
      Enum.find(headers, fn {k, _} ->
        String.downcase(k) == "cache-control"
      end)

    [_, expire_in] = Regex.run(~r/max\-age\=([0-9]*),/, cache_control)
    expire_in = String.to_integer(expire_in)

    body
    |> Jason.decode!()
    |> Map.values()
    |> Enum.map(&JOSE.JWK.from_pem/1)
    |> Enum.map(fn key ->
      %{type: :firebase, key: key, expire_in: expire_in * 1000}
    end)
  end

  defp keys_url() do
    "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
  end

That’s the fetching and parsing code, the ets and refresh based on expires in is left as an exercise to the reader.

In any case once that’s in place, when a request comes in with a JWT key you can verify it via:

def verify(token) do
    [{:keys, keys}] = :ets.lookup(Maven.Accounts.Auth, :keys)

    Enum.find_value(keys, &do_verify(&1, token))
  end

  defp do_verify(key_data, token) do
    case JOSE.JWT.verify(key_data.key, token) do
      {true, %{fields: fields}, _} ->
        {:ok, key_data.type, fields}

      _ ->
        nil
    end
  end
3 Likes

I wrote a JWT adapter that might be interesting to you: https://github.com/pow-auth/assent/blob/78e75769296fbe4f4383795e1ec6327d63fda60e/lib/assent/jwt_adapter/assent_jwt.ex#L62-L68

Here’s the test with public key example (I just hard code the keys): https://github.com/pow-auth/assent/blob/78e75769296fbe4f4383795e1ec6327d63fda60e/test/assent/jwt_adapter/assent_jwt_test.exs#L25-L66

Though I would recommend that you just rely on JOSE to handle it similar to the above example by @benwilson512.

Thanks @benwilson512 – this is a clean example of how to verify keys, cleaner than what I had worked out. However, I was looking for how to sign the key. @danschultzer – I think AssentJWT.sign/3 does exactly what I want. Thank you!

1 Like

I’ve been having similar issues, trying to sign something just using JOSE.JWT.sign/3.

It seemed that using File.read/1 and then JOSE.JWK.from_pem/1 was giving different results to JOSE.JWK.from_pem_file/1. Unfortunately, the documentation for JOSE is really sparse, so I never worked out exactly why.