Adding JWT secret with binary values

[tecnobrat]

Our JWT secret contains binary data. I've tried everything I can think of to send it to the Admin API as binary data.

I believe once I finally get it coming through properly, I'm getting this:

2015/09/30 18:18:15 [error] 57#0: *112 [lua] responses.lua:61: handler(): Cassandra error: Error during UNIQUE check: Cassandra error: Cassandra returned error (Invalid): String didn't validate., client: 192.168.99.1, server: , request: "POST /consumers/d28eae06-3ba8-4763-c7a9-32b41694a844/jwt HTTP/1.1", host: "192.168.99.100:8001"

Our use-case is that we already have a JWT provider and would like to continue to use it.

[thibaultcha]

Only text JWT secrets are supported. I don't believe Cassandra could support a select statement on a blob column anyways.

[subnetmarco]

One solution would be to Base64 encode the secret.

[thibaultcha]

It is currently not possible because we would need to base64 all the secrets if we do so.

[tecnobrat]

That means that the JWT support won't work for any implementation where you do not have control over the secret. For example auth0 which is a fairly large third party tool.

[thibaultcha]

We could add a flag for a certain plugin enabled on an API and then Kong would systematically assume the secret is in base64 and decode it before validating the signature. Secrets would be added to consumers already base64 encoded, but there would be no way to enforce that, since credentials and plugins share no relation (that was why I was more in favour of "nothing or everything").

Btw, I wonder why auth0 is providing secrets with binary data? Why not stick to text?

[tecnobrat]

I solved this issue because I was able to set my own secret in Auth0. It wasn't particularly clear from their UI, but you can actually update the secret.

So you can close this if you like, as that workaround is fine.

[SGrondin]

@tecnobrat since I assume a lot of people will be finding this issue through Google, can you tell us a little bit more about the workaround and/or link to it? Thanks

[tecnobrat]

I simply use the ruby JWT library to base64url_encode the secret and saved that in Auth0.

JWT.base64url_encode("secretfromkong")

Its worth mentioning that JWT.base64url_encode is NOT equivalent to the functions in the Base64 class.

tecnobrat@puma:~$ irb
irb(main):001:0> require 'jwt'
=> true
irb(main):002:0> require 'base64'
=> false
irb(main):003:0> JWT.base64url_encode("secretfromkong")
=> "c2VjcmV0ZnJvbWtvbmc"
irb(main):004:0> Base64.encode64("secretfromkong")     
=> "c2VjcmV0ZnJvbWtvbmc=\n"
irb(main):005:0> Base64.urlsafe_encode64("secretfromkong")
=> "c2VjcmV0ZnJvbWtvbmc="

[thibaultcha]

#838 adds support for base64 encoded secrets to next, it will be included in the next release.