JWT Auth - RS512 unsupported, because cannot possibly supply private key in the JWT_APP_SECRET variable #1771
Comments
|
Weird because here they mention RS256 for example: https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md |
|
What images version are you using and how does your .env file look like? |
|
@saghul Thank you for your prompt reply. I am running Perhaps I just need to dearmor it, but I haven't seen any functionality in the code to actually support RS512 like that as mentioned above |
|
To use RS512 you need to setup: JWT_ASAP_KEYSERVER |
|
@damencho ahh the documentation states or looks as if the two variables |
|
Yep it is secret or asap server. |
|
Yup, so that specific part of documentation is weirdly written, but the code is correct. |
|
Please reopen, since when I try using RS512 with a static kid and a static pubkey and privkey I get the following error: |
|
What it is the jwt header? |
|
I've used static kid and pubkey to minimize the amount of variables at play here if you're wondering.. in an OIDC flow it would be hard to comprehend where is the error originating from |
|
There is a parameter to co figure the key mode, did you set it? |
|
You mean |
|
And you have on the public key server file with the public key: 1e498e0c1d6dd521618c0da2fd301aa9f9a5e44986b52a617c078cfb5c554c1b.pem? |
Yes, it doesn't get 404 anymore. I fixed it beforehand, initially I named it just the hash without the .pem file ending |
|
It fetches the cert for sure, that's what I wanted to say. I don't get it why I get the error. It seems to originate from |
|
I'm gonna post the contents of the payload for safety as well. For example, I didn't set nbf to 0... |
|
|
This needs to be configured to RS512. If there is an ASAP key server we default to RS256. I don't think we expose a setting for it in Docker, we'd need to add one. |
I tried manually setting the default to RS512, but I need to reload the config to test it. Is it possible somehow within the container? (only for testing purposes) |
|
Alas i don't think so. You could volume mount a modified file. |
|
Managed to reload it with |
|
Not sure you can do that in docker, but: |
|
What's the best approach to fix this? To detect the alg instead of relying on defaults? |
|
To expose a setting to be able to change default in docker. |
The problem is that it's not part of the prosody/rootfs folder... I wanted to add it like this: but it would not work :/ |
|
It can be because it's a Prosody module setting. |
|
How do I expose it then? With a static volume mount / bind mount? |
|
An option with the name signature_algorithm needs to be exposed, akin to app_id. |
|
Didn't have any rights to make a new branch and/or make a PR so forked it and edited it accordingly: https://github.com/DevelopingEntitiesWithFuntations/docker-jitsi-meet/ (it's forked from master though...) This should solve the issue |
|
Nvm, managed to create a pull request, please look into it :) |
…used the right variable (jitsi#1771)
|
Please reopen.. In the And yet in the |
|
And do you see in the result configuration the correct parameter |
|
That param was added on the wrong place, just for jigasi virtual host. |
|
That needs to go under the VirtualHost "{{ $XMPP_DOMAIN }}" and you should remove it from the jigasi.meet.jitsi host. |
|
Silly mistake from my side, sorry... Created new PR.. |
|
Tested on stable-9753 with updated docker-compose.yml, this issue is fixed. Thank you! |
In JWT Auth environment variables there's no alternative to provide a private key file or to add it directly to the JWT_APP_SECRET variable, because it will complain about the first "+" in the private key.
I wanted to implement RS512 JWT checking, but realized it's not possible to do that with Docker at least, because the Lua script will simply fail at one of those characters.
It would be nice to mention that in the documentation with the supported algs.
The text was updated successfully, but these errors were encountered: