fireproofsocks
Signing a JWT?
Does anyone have a full working example of signing JWTs? I guess this is partly a question about the process too… this is related to earlier work I did (and this other post).
When you complete a sign-in with Google, you are given a JWT. You can can look up the PEM that was used to sign the key at https://www.googleapis.com/oauth2/v1/certs
And that can be used to verify that the JWT has not been tampered with.
From
https://github.com/danharper/hmac-examples#elixir
There’s this Elixir example:
key = 'the shared secret key here'
message = 'the message to hash here'
signature = :crypto.hmac(:sha256, key, message)
# to lowercase hexits
Base.encode16(signature, case: :lower)
When you’re dealing with a JWT, the message is a Base64 encoding of the JSON header + the JSON claims. But what’s the key in this scenario? When Google lets us query its PEM, what is in that PEM? Is it a private key? A public key? Or a combination? And what gets used to sign the JWT?
I’m writing tests around this stuff, so I need to be able to generate a public + private key, convert them (or one of them?) to PEM format, and then properly sign the key so that the JWT can be properly checked.
Most Liked
benwilson512
Hey @fireproofsocks it’s a private key. Here is code I wrote to validate JWT keys against google firebase pem. You can probably refactor it to grab pems from somewhere else.
First, I had a genserver which, on boot, would fetch the keys from Google and put them in ets:
def request_keys(_) do
url = keys_url()
{:ok, 200, headers, body} = :hackney.request(:get, url, [], "", [:with_body])
{_, cache_control} =
Enum.find(headers, fn {k, _} ->
String.downcase(k) == "cache-control"
end)
[_, expire_in] = Regex.run(~r/max\-age\=([0-9]*),/, cache_control)
expire_in = String.to_integer(expire_in)
body
|> Jason.decode!()
|> Map.values()
|> Enum.map(&JOSE.JWK.from_pem/1)
|> Enum.map(fn key ->
%{type: :firebase, key: key, expire_in: expire_in * 1000}
end)
end
defp keys_url() do
"https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
end
That’s the fetching and parsing code, the ets and refresh based on expires in is left as an exercise to the reader.
In any case once that’s in place, when a request comes in with a JWT key you can verify it via:
def verify(token) do
[{:keys, keys}] = :ets.lookup(Maven.Accounts.Auth, :keys)
Enum.find_value(keys, &do_verify(&1, token))
end
defp do_verify(key_data, token) do
case JOSE.JWT.verify(key_data.key, token) do
{true, %{fields: fields}, _} ->
{:ok, key_data.type, fields}
_ ->
nil
end
end
fireproofsocks
Thanks @benwilson512 – this is a clean example of how to verify keys, cleaner than what I had worked out. However, I was looking for how to sign the key. @danschultzer – I think AssentJWT.sign/3 does exactly what I want. Thank you!
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #javascript
- #code-sync
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









