graphql-engine icon indicating copy to clipboard operation
graphql-engine copied to clipboard

Published 20 hours ago verified publisher icon hasura

Auth0 with custom domain causes FST_JWT_AUTHORIZATION_TOKEN_INVALID

Open nahueld-owners opened this issue 1 year ago • 3 comments

Version Information

Server Version: hasura/graphql-engine v2.10.1

Environment

Docker image running on GCP Cloud Run

What is the current behaviour?

When trying to validate a JWT token generated by Auth0 using a custom domain I get back:

{
	"errors": [{
		"extensions": {
			"code": "FST_JWT_AUTHORIZATION_TOKEN_INVALID",
			"path": "$"
		},
		"message": "Authorization token is invalid: The iss claim value is not allowed."
	}]
}

I tried the following values in HASURA_GRAPHQL_JWT_SECRET to no success

  1. Using jwk url In this case we use the JWK URL as follows:
{"jwk_url": "https://my.custom-domain.com/.well-known/jwks.json",  "issuer": "https://my.custom-domain.com/" }
  1. Using the key
{"type": "RS512", "key": "abc",  "issuer": "https://my.custom-domain.com/" }

In both cases Hasura seems to fail to validate the custom issuer, this SEEMS to be due to the trailing slash in the issuer, the token generated by Auth0 does use trailing slashes in the iss field as detailed here

Other information:

  • This does work fine with the default Auth0 domain (not custom)
  • This throws a different error if the value on "issuer" has no trailing slash that is: https://my.custom-domain.com

This second point leads me to believe there is something wrong with the way the "issuer" field works internally, I can't control the way the tokens get generated with Auth0 so I need to define the issuer in Hasura

What is the expected behaviour?

The token is correctly validated

How to reproduce the issue?

  1. Create a new tenant in Auth0
  2. Define a custom domain
  3. Create a new application
  4. Configure Hasura to use JWT tokens
  5. Create a token where the issuer is the custom domain
  6. Try to call hasura endpoint

Screenshots or Screencast

N/A

Please provide any traces or logs that could help here.

N/A

Any possible solutions?

Understand if it is the trailing slash causing issues with the JWT verification

Can you identify the location in the source code where the problem exists?

No

If the bug is confirmed, would you be willing to submit a PR?

No

Keywords

auth0, domain, jwt, FST_JWT_AUTHORIZATION_TOKEN_INVALID

nahueld-owners avatar Sep 21 '22 20:09 nahueld-owners

Any updates on this?

nahueld-owners avatar Sep 30 '22 21:09 nahueld-owners

@nahueld-owners We are looking into this. May take couple more days. Appreciate your patience.

tirumaraiselvan avatar Oct 04 '22 06:10 tirumaraiselvan

hi @tirumaraiselvan is there anything I can do to help on this? were you able to reproduce? thanks a lot for your help

nahueld-owners avatar Oct 17 '22 13:10 nahueld-owners