Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error reproducing Auth0 instructions on “Ruby On Rails API: Authentication” #33

Closed
nilsandrey opened this issue Aug 4, 2020 · 3 comments
Closed

Error reproducing Auth0 instructions on “Ruby On Rails API: Authentication” #33

nilsandrey opened this issue Aug 4, 2020 · 3 comments
Labels
closed:stale Issue or PR has not seen activity recently

Comments

@nilsandrey
Copy link

I used the quick start “Ruby On Rails API: Authentication” successfully. Created an API and everything works just fine. Then I tried to recreate the code but including all this on an existing Rails app and got an error.

The demo (working for me before) include this call to the JWT gem:

JWT.decode(token, nil, 
    true, # Verify the signature of this token
    algorithm: "RS256",
    iss: "https://" + ENV["AUTH0_DOMAIN"],
    verify_iss: true,
    aud: ENV["AUTH0_AUDIENCE"],
    verify_aud: true)

The second parameter with nil assigned, in the demo works, but in my project leads me to a JWT Error, understanding that the parameter used for public_key shouldn’t be null. But it’s null in the demo and works. (UPDATE: The nil message seems to come from another object reference). I’m kind of a newbie with JWT matters.

Error message:

undefined method `verify' for nil:NilClass
  /usr/local/bundle/gems/jwt-2.2.1/lib/jwt/security_utils.rb:20:in `verify_rsa'

-------------------------------
Backtrace:
-------------------------------

  /usr/local/bundle/gems/jwt-2.2.1/lib/jwt/security_utils.rb:20:in `verify_rsa'
  /usr/local/bundle/gems/jwt-2.2.1/lib/jwt/algos/rsa.rb:15:in `verify'
  /usr/local/bundle/gems/jwt-2.2.1/lib/jwt/signature.rb:44:in `verify'
  /usr/local/bundle/gems/jwt-2.2.1/lib/jwt/decode.rb:42:in `verify_signature'
  /usr/local/bundle/gems/jwt-2.2.1/lib/jwt/decode.rb:26:in `decode_segments'
  /usr/local/bundle/gems/jwt-2.2.1/lib/jwt.rb:28:in `decode'
  /api/lib/json_web_token.rb:10:in `verify'
  /api/app/controllers/concerns/secured.rb:71:in `auth_token'
  /api/app/controllers/concerns/secured.rb:50:in `authenticate_request!'

json_web_token.rb and secured.rb are identical to the sample. jwt-2.2.1 it's the same gem version used in both environments.

The only difference I found between the environments of the demo and my legacy project was the Rails version, 5 in the demo, and 4.x on mine. I can’t upgrade right now, so if you think in another thing I can be doing wrong it would be helpful.

Cross-posted (sorry if it's too much):
@nilsandrey
Copy link
Author

Including sample code

I'm including here the code for the jwks_hash method, it's the same in both environments. I just added logger lines to the original. You can see the differences in the output for both environments below.

def self.jwks_hash
    Rails.logger.warn '---> hashing'
    Rails.logger.warn "https://#{Rails.application.secrets.auth0_domain}/.well-known/jwks.json"
    jwks_raw = Net::HTTP.get URI("https://#{Rails.application.secrets.auth0_domain}/.well-known/jwks.json")
    Rails.logger.warn jwks_raw
    jwks_keys = Array(JSON.parse(jwks_raw)['keys'])
    Rails.logger.warn '---> jwks_keys'
    Rails.logger.warn jwks_keys  # Check output of this below 👇
    Hash[
      jwks_keys
      .map do |k|
        [
          k['kid'],
          OpenSSL::X509::Certificate.new(
            Base64.decode64(k['x5c'].first)
          ).public_key
        ]
      end
    ]
  end

Output in working demo:

W, [...]  WARN -- : [{"alg"=>"RS256", "kty"=>"RSA", "use"=>"sig", "n"=>"yDsoJbr45jlrCDQSu8X6ZAko......"]}]

W, [...]  WARN -- : {"alg"=>"RS256", "typ"=>"JWT", "kid"=>"YHEH94lH9itYZUhLx3hee"}

Output in my project:

W, [...]  WARN -- : [{"alg"=>"RS256", "kty"=>"RSA", "use"=>"sig", "n"=>"yDsoJbr45jlrCDQSu8X6ZAko......"]}]

W, [...]  WARN -- : [{"alg"=>"RS256", "kty"=>"RSA", "use"=>"sig", "n"=>"yDsoJbr45jlrCDQSu8X6ZAko......"]}]

The second element it's the only point of difference between the runs I could found.

@stale
Copy link

stale bot commented Nov 9, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

@stale stale bot added the closed:stale Issue or PR has not seen activity recently label Nov 9, 2020
@stale stale bot closed this as completed Nov 16, 2020
@nilsandrey
Copy link
Author

Sorry about the issue, I'm happy to say the problem was just a mismatch with the audience field value. Didn't notice for days because was just the same audience URL but with a backslash added behind 😳. I was specifiying https://my.audience.url/ instead of expected https://my.audience.url 🤦‍♂️.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed:stale Issue or PR has not seen activity recently
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nilsandrey