Creating Jwt with private key

[pranay-thales]

Hi,
Thanks for creating this library. It is really a great help for implementing oidc.
I was not able to create jwt token with private key. I wanted to set the following parameters :
1.authority
2.redirecturl
3. sessionid ot state
4. privatekey

can you please share a sample if the library can support the above parameters.

[Thalhammer]

Yeah sure:

std::string rsa_priv_key = R"(-----BEGIN PRIVATE KEY-----
MIIEvwIBA....
-----END PRIVATE KEY-----)";

std::string rsa_pub_key = R"(-----BEGIN PUBLIC KEY-----
MIIBIjA.....
-----END PUBLIC KEY-----)";

auto token = jwt::create()
		.set_payload_claim("authority", jwt::claim(std::string("your authority")))
		.set_payload_claim("redirecturl", jwt::claim(std::string("https://google.de")))
		.set_payload_claim("sessionid", jwt::claim(std::string("testid")))
		.sign(jwt::algorithm::rs256(rsa_pub_key, rsa_priv_key, "", ""));

[pranay-thales]

Thanks for replying. I am new in c++. I wanted to use this token as an encrypted format in string.
although i am able to create the token but how to use it in a string format

[Thalhammer]

JWTs are not encrypted (by default) they are only signed. That said the variable "token" in the above example is of type std::string.

[pranay-thales]

Hi While creating the jwt with public and private key i am getting Unhandled exception at in constructor of rsa at line 215 in JWT.h
"std::unique_ptr<BIO, decltype(&BIO_free_all)> privkey_bio(BIO_new(BIO_s_mem()), BIO_free_all);"

The public and private key are unencrypted as well

[Thalhammer]

Which exception do you get?

[pranay-thales]

Unhandled exception at 0x00007FFF4D1B8E6C in w3wp.exe: Microsoft C++ exception: jwt::rsa_exception at memory location 0x00000074EB7D9338.

[Thalhammer]

This is not the line the error occurs. Catch the exception and post its message.

[pranay-thales]

The error message which i am getting is :
failed to load public key: PEM_read_bio_PUBKEY failed
The public key i am providing is :
string publicKey = "-----BEGIN PUBLIC KEY--------------END PUBLIC KEY----- "
string privateKey = "-----BEGIN RSA PRIVATE KEY----------END RSA PRIVATE KEY-----\r\n"
std::string jwtToken = jwt::create()
.set_payload_claim() //some payload claims set required for oidc
.set_type("JWT")
.sign(jwt::algorithm::rs256(publicKey, privateKey, "", ""));

IS there a provision if i can sign the JWT by providing the private Key only. I am able to achive through hs256 alogo but not in rs256.

[pranay-thales]

We are using RSACryptoServiceProvider in C# which only takes private key and public key is not required for signing. Does that does not apply here in case of rs256 ?

[Thalhammer]

Those keys are not valid keys.
Currently the constructor of rsa requires a public key to be present.
However, it should be possible to extract the public key from the private key you have. There should be functions present in your crypto provider to do that. Also I might add a helper to the library to import only a private key.