5

I am using Kotlin with Vertx at the Backend and the frontend forwards me a JWT token after getting authenticated from One Login. Now, I want to make sure that the Token is valid not fake(made up). If I follow following link, it says that I need a public key to be able to create a JWTAuth object which I can use to call authenticate for validation. https://vertx.io/docs/vertx-auth-jwt/kotlin/

I need to know where can I get public key?

Adnan Raza
  • 105
  • 1
  • 9
  • Whoever issues the JWT is usually the one who would have the key to sign and open it. I didn't read through the full documentation link you gave, but the workflow is server creates and signs the JWT, sends it to the frontend, who then passes it back to the server at some later point. Then, the server can open it and check the claims, etc. – Tim Biegeleisen Jun 28 '18 at 07:01

2 Answers2

4

I don't know about OneLogin but from their documentation I can see that they are a SAML/OpenId Connect provider, so the public key can easily retrieved from their configuration. According to their docs you can locate your instance config from:

https://<subdomain>.onelogin.com/oidc/.well-known/openid-configuration

From this file you should look up the key jwks_uri which will hold a value like: https://acme.onelogin.com/oidc/certs. If you get this URL you'll have a JSON similar to this:

{
  "keys": [
    {
      "kty": "RSA",
      "kid": "JRcO4nxs5jgc8YdN7I2hLO4V_ql1bdoiMXmcYgHm4Hs",
      "n": "z8fZsz...GHSTAoQw",
      "e": "AQAB"
    }
  ]
}

This file is a JSON Web Key (chain) This JSON can be feed to JWTAuth to load the key and do the validation you need. As a side note for 3.6 The will be proper OpenId Connect Discovery support in the module OAuth2 which means you don't need to fiddle with this anymore and just pass the URL if your provider and everything will be properly configured.

Paulo Lopes
  • 5,845
  • 22
  • 31
  • 1
    Could you please tell which one in these values is the public key? as per Vertx spec , I need to provide **"publicKey" : "BASE64-ENCODED-PUBLIC_KEY"**? I have tried both and got InvalidKeyException. – Adnan Raza Jul 02 '18 at 04:27
0

Thank you very much for a too-the-point answer. I am able to access the JSON Web Key and I have also fed it into JWTAuth.create and now the JWTCreate is not throwing any exception. However, provider.authenticate always fails to authenticate it even though I am using an authenticated JWT token which is being sent from frontend.

I used following way to create JWTAuth object.

       var jsonObject = JsonObject("<I Copied all contents of Json Web Key here.>")
       var provider = JWTAuth.create(myvertx, jsonObject)

Then I used 

        var idJson = JsonObject()
        idJson.put("jwt", myJWTToken)

        var optionsJson = JsonObject()
        optionsJson.put("ignoreExpiration",true)

        idJson.put("options", optionsJson)

        provider.authenticate(idJson, { asyncresult ->
            println("Is authenticated = ${asyncresult.succeeded()}")

})

But when I tried using Vertx way of providing public key using PubSecKeyOptions and JWTAuthOptions, by copying the key from the OneLogin certs URL, It threw an exception saying "InvalidKeyException"

Caused by: java.security.InvalidKeyException: IOException: DerInputStream.getLength(): lengthTag=71, too big.
at sun.security.x509.X509Key.decode(X509Key.java:398)
at sun.security.x509.X509Key.decode(X509Key.java:403)
at sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:86)
at sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:298)
at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:201)
... 51 more
Adnan Raza
  • 105
  • 1
  • 9
  • 1
    I just went over the code and noticed the JWK API was only exposed (wrongly) to the OAuth2 code, so I've added a fix to support it on JWT too: https://github.com/vert-x3/vertx-auth/pull/227 you should expect this to be in version 3.6 – Paulo Lopes Jul 02 '18 at 09:26
  • Thanks, and could you please advise about when is version 3.6 expected to be available? and after the fix will my above mentioned code work with authenticate method, or are there any corrections needed? please confirm. – Adnan Raza Jul 03 '18 at 00:56
  • 1
    The expected release of 3.6 is this fall. Once that happens you can either use the JWT Auth or the Oauth2 one. The latest will be simpler as you only need to know the clientId, clientSecret and the server url. – Paulo Lopes Jul 03 '18 at 05:44