Unable to validate JWT via external service #377
Description
Summary and context
The external JWT validator service successfully receives the POST request and returns 200 OK but RIG always returns "Invalid Signature".
How to reproduce
When I run RIG with these settings:
-
External service is running on port 3000 on host machine and is accessible from docker containers.
-
External service immediately returns 200 OK for testing and doesn't actually validates the JWT.
-
RIG Config values:
SUBSCRIPTION_CHECK=http://host.docker.internal:3000
..and set up clients and services like this:
- Initiate Websocket connection:
$ wscat -c ws://localhost:4000/_rig/v1/connection/ws
- Subscription request:
$ curl -X PUT -H "Content-Type: application/json" -d '{"subscriptions":[{"eventType":"position","oneOf":[{"userType":"admin"}]}]}' -H "Authorization: Bearer jwt_token" "http://localhost:4000/_rig/v1/connection/ws/0B7ilUe9imppbOep5E9Gw_KD8ZR7Jal4HK2ZyG0cZXO2VBwxAxT8ZIUGA_YORriC7I3nppuaNfv48PQzbtQ=/subscriptions"
..I see the following error and/or log output:
- Subscription response:
cannot accept subscription request: invalid authorization header: could not decode JWT: Invalid signature
- JWT service received request from RIG:
{
method: 'POST',
url: '/',
header: {
authorization: 'Bearer jwt_token',
host: 'host.docker.internal:3000',
'user-agent': 'hackney/1.16.0',
'content-type': 'application/json',
'content-length': '75'
}
}
- RIG logs:
rig-dev | 16:15:06.145 module=Phoenix.Logger request_id=Fn_mwLBz4wK9hIAAAABB [debug] Processing with RigInboundGatewayWeb.V1.SubscriptionController.set_subscriptions/2
rig-dev | Parameters: [UNFETCHED]
rig-dev | Pipelines: [:api]
rig-dev | 16:15:06.145 module=Plug.Logger request_id=Fn_mwLBz4wK9hIAAAABB [debug] PUT /_rig/v1/connection/ws/0B7ilUe9imppbOep5E9Gw_KD8ZR7Jal4HK2ZyG0cZXO2VBwxAxT8ZIUGA_YORriC7I3nppuaNfv48PQzbtQ=/subscriptions
rig-dev | 16:15:06.149 module=RigInboundGatewayWeb.V1.SubscriptionController request_id=Fn_mwLBz4wK9hIAAAABB [warn] failed to associate to session: ["%RIG.JWT.DecodeError{cause: "Invalid signature"}"]
..but I really expected this:
- Successful subscription:
{"subscriptions":[{"eventType":"position","oneOf":[{"userType":"admin"}]....
Versions (please complete the following information):**
- Host OS: Docker on MacOS[MacBook Pro (16-inch, 2019)]
- Frontend: curl
- RIG version as shown on startup: Reactive Interaction Gateway 3.0.0-alpha.1 [rig@127.0.0.1, ERTS 11.1.8, OTP 23]
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
Participants
Activity
patrickmedina commentedon May 17, 2021
Better to implement JWKS validation as alternative to external JWT validation service. I think JWKS hooks for Joken can be used for this.
Subscriptions controller: Ignore JWTs that can't be validated
kevinbader commentedon May 23, 2021
@patrickmedina should be fixed with #378 - can you confirm?
patrickmedina commentedon May 24, 2021
@kevinbader Thank you for the fix. It is now working for manual subscriptions, it is now validating against the configured external service via SUBSCRIPTION_CHECK envvar.
Can we have this work as well on automatic subscriptions via JWT claims? This will be a great help as well to reduce the API calls and rely on the JWT claims for the subscriptions on initial connection.
Currently when passing JWT during websocket connection, it still checks for internal JWT configuration instead of validating against an external service.
Request:
or
RIG Logs:
kevinbader commentedon May 24, 2021
Ah, I see. I need to redesign this a bit to only allow invalid JWTs in case SUBSCRIPTION_CHECK isn't set to jwt_validation and generally make this more consistent. It'll take me a few days to do it though.