2

I'm following these:

and have created a secret.key like below using https://mkjwk.org/ to match the example in the first URL above:

oct key type

According to https://auth0.com/blog/navigating-rs256-and-jwks/ because this is an HS type:

"Simply put HS256 must share a secret with any client or API that wants to verify the JWT"

So I naively assumed to use the "k" as the secret to sign the JWT on the server issuing the JWT to use in the password field of any XMPP client (stanza.io and pidgin on the desktop).

What am I misunderstanding? I have confirmed ejabberd starts up correctly with (via ejabberdctl live and loglevel 4):

auth_method: [jwt, ldap]
jwt_key: /opt/ejabberd/conf/secret.jwk

and that I can still authenticate with a password in our Directory Server, but I can't with the JWT. I don't think I'm generating it correctly because I'm just signing it like a normal shared key JWT.

Thanks, Gavin.

Gavin Henry
  • 182
  • 1
  • 1
  • 16
  • Has anyone generated a JWT using a shared secret inside a JWK? In any language that they can point me to some docs of? Not fussed what language it is :-) – Gavin Henry Apr 30 '20 at 18:56

2 Answers2

4

"k" is the secret used to sign the JWTs you generate, you assumed correctly.

However https://mkjwk.org (and jabber) use Base64-url (RFC 4648 §5) encoded secrets. Please try decoding the value of "k" before signing your JWT as any other libraries (and algorithms) usually do not expect an encoded secret, especialy an url-encoded secret

You can check out https://jwt.io/ to manually create or modify your JWTs and see what is going on with them, with an option to have the secret encoded or not. It however handles base64-url encoding transparently.

Panter4
  • 327
  • 2
  • 7
  • { "keys": [ { "kty": "oct", "use": "sig", "kid": "testing", "k": "0_9uMKBuLT3EmKEqOuFG5Srl9TD1RCw44pgSPeT9qykpTGdQWQi5AnIqxevfIccpr-A_J08D2t0lf1tAK-LRLCbWeewfPptqHS_HxwaeQIcSwO6IP2POIRzc28Z9XftuR7zk-T63C0ZtWyUvAdm0S3LitCjUdFAnacWQItLc9oswUjWt4w2l5tW-Kcp495lWK9SbovAofO5kgqqDkMZqQyQtbRUAI6EjHJDu0XWAap7ib55Bj19D902nzUWOPsin3LcWO0_FgbcHYomCbo7YXB7kUkWR3lVgAUisYbeQ9HXGkGqdvoRlH7XLhRU0TfzS3TstynA8xbCj66ew9ebzTA", "alg": "HS256" } ] } – Gavin Henry May 31 '20 at 20:58
  • Is the JSON, but that k value doesn't decode into ascii. Should it? – Gavin Henry May 31 '20 at 20:58
  • 1
    No, the key is binary, random 512 bits (or whatever length you selected) wont decode to anything readable. – Panter4 Jun 01 '20 at 16:00
  • Thanks @Panter4, you saved my day!! Decoding (base64-decode) the "k" before using it to generate my tokens made it work. I didn't know these tools always generate the tokens base64-encoded, and thus I had to decode before signing. – Emilio Feb 11 '21 at 22:47
3

I was able to authenticate using jwt token, signed the JWT using "k", placed key set `

"keys": [
    {
        "kty": "oct",
        "use": "sig",
        "kid": "",
        "k": "",
        "alg": "HS256"
    }
]

` in secret.jwk. And after passing jabber id & jwt token in strophe.connect() it got connected. this is the backend configuration I had

      `auth_method: [jwt, sql]
       jwt_key: /usr/local/etc/ejabberd/secret.jwk
       default_db: sql
       new_sql_schema: true
       sql_type: mysql

       access_rules:
       jwt_only:
        deny: admin
        allow: all
       local:
        allow: all
       c2s:
         deny: blocked
         allow: all
       announce:
         allow: admin
      configure:
        allow: admin
      muc_create:
        allow: all
      pubsub_createnode:
       allow: local
      trusted_network:
       allow: loopback

     jwt_auth_only_rule: jwt_only`
AD95
  • 180
  • 2
  • 7
  • 1
    you mean like k and kid should be blank all the time or i need to replace it with my content? I have used your and generated a token but didn't worked with me. – vavadiya hiren Jan 18 '21 at 13:29
  • 1
    My key file looks like below { "kty": "oct", "use": "sig", "k": "XckBSF7uaA5fTR4JK1QkLaguwh9MO70__kd3s8lPTWaVmbOLPE8JBIG1yPs3in9YSJER2QdxjerNaLT_6OhmX2JnB_zeUz1m7EN-ThtbKXUjwauUMoT4PE_fyuqPQMvW-rsAkBjkz0MM_rKm30IxNN3oeXdhEIhMHlVXNumMwzcG7rctUHuFZmxsNKB1CJhTgRSJA7u4Ol0Fm07KA9E4glwK-XdeYza0nMuv3CC8P72i_1eCwBs2UXRyj4VnRrdjZflY0IomZ7iDowdldJwx-WVN51xhtda8dlNMa-p_TJrKjNhBG6f_5afNWzLB9hYJ5-AZcMksZRPgafAvUAOiyw", "alg": "HS256" } Can any body help me to generate token and i can login to my ejabbred ? – vavadiya hiren Jan 18 '21 at 14:22