mod_authnz_jwt
mod_authnz_jwt copied to clipboard
AnthonyDeroche
Cognito integration
We are utilizing Apache HTTP server as a gateway in AWS for APIs and front-end web code in S3 buckets. We currently use mod_auth_mellon for authentication and pass user information in headers back to our API's when a client successfully authenticates.
We are looking to switch to AWS Cognito for authentication utilizing JWT.
I have been experimenting with your module. On it's own, I can utilize JWT to grant access to protected URI's. When I attempt to utilize it with Cognito, I am running into errors.
Steps used to recreate:
- Harvest jwks.json for our specific user pool in Cognito.
https://cognito-idp.us-east-1.amazonaws.com/
/.well-known/jwks.json I pull the one public key from it that our JWT tokens are signed with. - Run that public key through the following process: Convert it to pem: https://runkit.com/npm/jwk-to-pem
- Trim out all unnecessary info from pem: openssl rsa -inform pem -in FILEPATH.pem -pubin -pubout -RSAPublicKey_in
When I put the JWT token I have and the fully processed pem into the debugger on https://jwt.io, the signature validates correctly. However, when I throw them into Apache utilizing mod_authz_jwt, I get an invalid token and/or invalid signature error.
The problem is 2-fold, Cognito exposes 2 keys through the jwks.json and this module claims invalid token/signature when converting one of the keys for static use. Can you modify this module so I can pass it the URL for the jwks.json file and have the module harvest and covert those keys?
Hello,
The token should be correctly decoded if you transform the public exponent "n" of your jwks into a valid PEM RSA public key. To validate signature, I'm using libjwt (https://github.com/benmcollins/libjwt) using itself openssl.
Can you give me public keys in PEM format used to check validation and a JWT (even expired) delivered by AWS to try to help you more ? You can email me at anthony[at]deroche.me
Regarding the last question, I cannot support JWKS for the moment in my module, although it might be interesting to do so. The underlying library I'm using does not support JWKS itself. I will propose it on the tracker.
Thanks. I emailed you the requested items. Did you receive them? Thanks.
Hello, yes I received your email. I will take a look at this and I will keep you posted.
I reproduced the bug, and it seems to be a bug of the underlying lib I'm using to decode tokens. I opened an issue on the repo of the lib. I will keep you posted as soon as I have more information.
The bug has been fixed, you should be able to validate tokens using my module using a PEM public key. Be careful to use libjwt v1.7.3, I updated the README with the correct version.
Thank you. I will put libjwt 1.7.3 into the lab and will update you with the findings.
I have been able to confirm that if I utilize the correct key that the JWT will validate. However, a Cognito user pool utilizes 1 of 2 keys to sign the JWT. Is there a mechanism that I can utilize to specify both keys as 2 AuthJWTSignaturePublicKeyFile entries in the Apache config, or add both keys to 1 file and have the module iterate over both keys to validate the JWT?
If you require a new JWT, let me know and I can supply that via email. Thanks.
I hate to be a bother with this, but are you actively working on this or can I have a friend of mine submit a pull request to work on this functionality? Thanks.
I just saw your messages, I'm not working on this for now, you can submit a pull request!