Skip to content
This repository has been archived by the owner on May 11, 2022. It is now read-only.

jwt verification key incorrect information #132

Closed
valenbb opened this issue Sep 10, 2016 · 5 comments
Closed

jwt verification key incorrect information #132

valenbb opened this issue Sep 10, 2016 · 5 comments
Labels
scheduled

Comments

@valenbb
Copy link

valenbb commented Sep 10, 2016
edited
Loading

The documentation for editing the cf-stub.yml - jwt section does not tell us what to do properly. We could not use the generated pub file.
Used the following the cat the output file:
openssl rsa -in jwt-key.pem -pubout > key.pub

ssh-keygen -f jwt-key.pem does not create a pub key which includes the begin and end lines.

jwt:
verification_key: JWT_VERIFICATION_KEY
signing_key: JWT_SIGNING_KEY

Instead of just stating where each key is used, the begin and end lines should be inserted so that admins know what to look for after generating these keys. For example,

verification_key: JWT_VERIFICATION_KEY
-----BEGIN PUBLIC KEY-----
PUBLIC_KEY
-----END PUBLIC KEY-----
signing_key: JWT_SIGNING_KEY
-----BEGIN RSA PRIVATE KEY-----
RSA_PRIVATE_KEY
-----END RSA PRIVATE KEY-----

Without proper information my team spent close to two months trying to figure out the resolution for:
API endpoint: https://api.cftest.test.local (API version: 2.58.0)
User: admin
No org or space targeted, use 'cf target -o ORG -s SPACE'
FAILED
Error finding available orgs
Server error, status code: 500, error code: 0, message:
@cf-gitbot
Copy link
Collaborator

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/130138453

The labels on this github issue will be updated when the story is started.

@valenbb
Copy link
Author

valenbb commented Sep 10, 2016

There was a typo in statement "ssh-keygen -f jwt-key.pem does create a pub key which includes the begin and end lines"

It should be does not.

Thanks

@wbean1
Copy link

wbean1 commented Sep 21, 2016

+1 this area needs better doc, esp given the changes to these parameters in v242. I spent two days trying to migrate to the new properties (uaa.jwt.policy.keys) before giving up and staying on the deprecated ones.

@jbheron
Copy link
Contributor

jbheron commented Sep 30, 2016
edited
Loading

Thanks @valenbb, I've updated our docs per your suggestion, and will touch base with the CF UAA team for further guidance about uaa.jwt.policy.keys that @wbean1 mentioned causing them some trouble. Closing.

@jbheron jbheron closed this as completed Sep 30, 2016
@valenbb
Copy link
Author

valenbb commented Oct 1, 2016
edited
Loading

@jbheron, "openssl rsa -in jwt-key.pem -pubout > key.pub" does not create the private key, it only outputs public key with the BEGIN and END lines. We would still need to use a mechanism to create the private key.

A quick recommendation for the jwt process:

  1. Create the jwt signing key using "openssl genrsa -out jwt-key.pem 2048"
  2. Obtain jwt verification key using "openssl rsa -in jwt-key.pem -pubout > key.pub"

Please test this out and update the document.

Thanks.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
scheduled
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jbheron @cf-gitbot @wbean1 @valenbb