2

i've a jwt token from an aws cognito login process. this token needs to be sent from the application to some other apis (via cookie or bearer header, i've not yet decided).

the receiving apis has been proxied behind nginx/openresty, so i'm thinking to validate the jwt token before the upstream

i'm using this library (the seems the most updated) https://github.com/cdbattags/lua-resty-jwt

then i followed these steps:

  1. download the jwks file from my account

    wget https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_5zCVSiMVH/.well-known/jwks.json

  2. convert the jwks to pem with jwks2pem

    cat jwks.json| jwks2pem > key.pem

  3. then this code

    local jwt = require "resty.jwt"

local key = [[ -----BEGIN PUBLIC KEY-----
(content of key.pem)
-----END PUBLIC KEY-----
]]

local jwt_token = ""

local jwt_obj = jwt:load_jwt(jwt_token)
local verified = jwt:verify_jwt_obj(key, jwt_obj)

ngx.say(cjson.encode(jwt_obj))```

the code fails:

$ resty jwt.lua
{"valid":false,"reason":"invalid algorithm: RS256","verified":false}

where i'm wrong?

George Livanoss
  • 443
  • 1
  • 4
  • 14
  • `This library requires an nginx build with OpenSSL, the ngx_lua module, the LuaJIT 2.0, the lua-resty-hmac, and the lua-resty-string` - are you sure these conditions are met? – s-ol Apr 02 '19 at 08:54

1 Answers1

2

ok, the problem is the key. i've successfully obtained the pem key from jwks with this other tool https://www.npmjs.com/package/jwk-to-pem

the validation now works

George Livanoss
  • 443
  • 1
  • 4
  • 14