Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question on JWT token validation. #63

Open
venkatmarepalli opened this issue May 5, 2017 · 5 comments
Open

Question on JWT token validation. #63

venkatmarepalli opened this issue May 5, 2017 · 5 comments

Comments

@venkatmarepalli
Copy link

I am trying to validate my access_token using https://github.com/pingidentity/lua-resty-openidc#sample-configuration-for-oauth-20-jwt-token-validation. Somehow I wasn't able to succeed. My goal is to protect my apis using this approach. Here is my configuration. Am I missing something here. I am getting 2 issues here. Can someone tell me where I am going wrong. I was able to verify the signature using http://jwt.io

openidc.lua calls https://github.com/pingidentity/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L723

  1. With the below configuration, I am getting openidc_discover(): accessing discovery url (https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) failed: 20: unable to get local issuer certificate, client:

  2. When I added secret (public key string from my secret.pem file) I am getting "reason":"Verification failed","raw_header":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InowMzl6ZHNGdWl6cEJmQlZLMVRuMjVRSFlPMCIs

location /api {
      access_by_lua '
          local opts = {
            -- The jwks endpoint must provide a x5c entry
   discovery = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration"
          }
          -- call bearer_jwt_verify for OAuth 2.0 JWT validation
          local res, err = require("resty.openidc").bearer_jwt_verify(opts)
..
..
    }
  }
}

I am sending Curl request with authorization token to test if my /api is secured or not like below
curl -i http://myserver.com/api/index.html -H 'Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InowMzl6ZHNGdWl6cEJmQlZLMVRuMjVRSFlPMCIs' @
@Obsolete01
Copy link

Did you ever get this working?

@venkatmarepalli
Copy link
Author

Yes, it worked with the help of https://github.com/zmartzone/lua-resty-openidc

@Obsolete01
Copy link

Would you mind sharing the code used to decode the access token to then validate it's claim after authentication?

@venkatmarepalli
Copy link
Author

Did you check this https://github.com/zmartzone/lua-resty-openidc ? This library lets you do what you are expecting.

@Obsolete01
Copy link

Yea, but I can't get the validation of the access token working.... I get redirected for authentication and that works, but I am unable to get the validation of my access token to work so was curious as to what you done because your are validating from the access token right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@venkatmarepalli @Obsolete01