Graphql-engine: JWT validation failed

Created on 5 Nov 2018 · 15Comments · Source: hasura/graphql-engine

Hello, it's again me :)

I have another problem with JWT auth and hasura and i can't find a problem, help me pls!

I created valid access token:

eyJhbGciOiJSUzI1NiIsImtpZCI6IkJBODcxQkY5MTgwNTIzMjI2QzFFRTA4NkQxMDc4NEM5RTVCQTJCNjQiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJ1b2NiLVJnRkl5SnNIdUNHMFFlRXllVzZLMlEifQ.eyJuYmYiOjE1NDE0NTc0NjUsImV4cCI6MTU0MTQ2MTA2NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJydWxlYm9vay1hcGkiXSwiY2xpZW50X2lkIjoiaW9zLmNsaWVudCIsInN1YiI6IjRkNDA2NGQxLWMzM2YtNDIzYi1iMjYyLWYzMmVhMTY5NjRhYSIsImF1dGhfdGltZSI6MTU0MTQ1NzQ2MSwiaWRwIjoiZ29vZ2xlIiwic2NvcGUiOlsib3BlbmlkIiwicnVsZWJvb2stYXBpIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbImV4dGVybmFsIl0sInJ1bGVib29rX2NsYWltcyI6eyJ4LWhhc3VyYS1hbGxvd2VkLXJvbGVzIjpbInVzZXIiXSwieC1oYXN1cmEtZGVmYXVsdC1yb2xlIjoidXNlciIsIngtaGFzdXJhLXVzZXItaWQiOiI0ZDQwNjRkMS1jMzNmLTQyM2ItYjI2Mi1mMzJlYTE2OTY0YWEifX0.ue8QiHT_6ImIa0tZGPZUQwf2u_qKvXLmjzLzcKDVP-3B8YgJc3YMTeu_o8LLKzNer9earzSFN7bPV_-vNGF6404O-PX4_Z-2Le0AjsRVbVFdBvrTKiFQZ-hM44DREdQCr5iqAaRIGakpMrriYE0LZ9tbIdKE07DeFp-RD0_LP0pWCNGzqPBlFL2nGazy3iaZ0hZs5TarJgoRqK_ZlWGFlwdxSkhmRlKVQQcP1Q53eH9T5cc_B7VDqrgS_NkKuRzf8LoJvzTPBbgfYGUwim5tARK4bRLYhjyZvGR_VI56Es8shwnAGRzzD9KWP7Qvlb6AKVyYWJfvPrrd3669Xjp3fwevm2rmkUPbW5EqbDO03nwnp1PTrZnuNwK06oWWce6d2IbeDNwk58YyWDHFAxujUgKE7dvjupJ2k3lagTI8_S_6pRtshLrPl0WVHdich0FNtEniQ_GgSQ4ZZQ4TOKnK2zqH1d5dW2UzuEUak-tSfEbtBVPIWKtfjbM6jRH2HzlZMAV3zg2ZqnAcGImacPD2LKEQ4Ogzkv6ZYeDGasO-IRwQ5yeC9dFey7whUQ-BpE_8cF-4WCiKPY9meXXi8X53W8Y9VH2_g92m3ENxVqhVawb52LX4MZkmr5CTn_xVgfENzMUfsGb98AmUdGx3nLGe1nToLfhcqgCbvM5K3mH1ugU

It is validation public cert:

Proof it's valid:

https://imgur.com/a/UNpk5yG

It is my hasura configuration:

docker run -d -p 5002:8080 \
    --name rulebook-api \
    --network rulebook \
    hasura/graphql-engine:v1.0.0-alpha28 \
    graphql-engine \
    --database-url postgres://dev:dev@rulebook-api-db:5432/dev \
    serve \
    --enable-console \
    --access-key LocalHostKey \
    --jwt-secret '{"type":"RS256", "key": "-----BEGIN CERTIFICATE-----
MIIEqjCCApICCQCaKHBlVYGwAzANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxy
dWxlYm9vay5hcHAwHhcNMTgxMTA1MjIzNDQxWhcNMTkxMTA1MjIzNDQxWjAXMRUw
EwYDVQQDDAxydWxlYm9vay5hcHAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQDSS8OtE6iUtGZx7ARakZcldGvCuH1Y7PBbErE1f7bOvCaJkaAjF8BoL+Xt
sMeMwAQK3rj1WtUcqqxZsmJy+LrfMaXoMcFvdzzdyiU6xEwMpqGACadiKNrVKSEh
i9IIXOo8P0uvSkxUhn8VvBgj/qshghcV7+Du957MgriTs5eKGcMMLa4yH54RG1xq
PTYQgWT6dzXSn1G/SCrQkJyhqoVW1Tebmf19TiHFRkwvVsuHbQJVvZ19rT0wWVIy
tngi8OH7xT/9kpqwkps/5iMmLmvHnK38PKUyoxaVHHeA3lkq2BfGbjGpg2tKOcVK
HQOarxYXochSYBvlFVorFoa2fV7H69tiJO4fzY3am92HfV6+0nDtzLyaON3ENoGJ
7Ju/0ukJcTgOkQ/P2ijr3gY3GHeKiHLACsrk4S42Dw5Mew0FycPbLbdFKl8e582+
AVi+YjM9Ck11tok4LOrtJWVyn0mn4XpcvWO2a1/h+gygCmja6oeazDibtGfqThYj
Fxr9rv7lohOlb+4lfaGfauTrYnqKGZtrUmgpC/9AiL7QVLFUJjllcmcJ53DvL8TJ
RsALcyjc1qOOEpghJxuenmxhaS6EF1rRTfVxGjh9ixbDdJ/scOscACOBPqgOLx58
vp18j4fPydlIU4klFbqBQKMOu0+KnJBrk3JfflKhh9h2A8zlPQIDAQABMA0GCSqG
SIb3DQEBCwUAA4ICAQBXcUi81h/SOK5x98lJGRGpFzEybcXfVWtXEIKWlwCXpfFc
SXcHskWLkO4F/pOPnCtX0CZBVhWRxigUp3uo4LbdLvvVFadoA2aYgapaFzmw2Rxo
HKUumuwvF1Si/ljvAWuoXPQ2AjzkKHLK6rkQeUX+qFjTwjM07jc0NwjOcxB6e32X
WpAPfVVHQc5fEYQSflSwYEyq8ExFTGWNCgtHhBsXoiHYTwnJtdDahy9dW/GY8RkQ
vSBEdH/bhTRTNS7ErajjYNhjMPUNrpa4RbOc2wqVZANrRju7uom5rrTZ6oOhe+mo
n/uCCpvjpKGK8SaYwUUcaZovOJQjC2GmqjLFMnJa0yI2L5lAbkjIaTdi8/tLkbY7
X2c8G1fXg1ursvpvZ4D2UBS6U0sHli2NRqq6IsKAMH2mv5HBEeg4pzOh5aSD8rxp
trz2e4pIRCVVc/KsFyvwp+EtLpPBm4RTMe3/qaICO0Ey9eJAIVdIEsUzq3BFeHVu
EYIG0SFmJ8vSYiz+3EWKiyhYu71HF7eFITYbGUinemJe60rTxgdAFT87l7a3A78C
JU9QcYSRkXXIsYMphxsa7xNNTwx+k+d6FtAgS9YZt8LpS/ipBaMMCI9kX3iEMjOo
A9kLfPoA0YDGjW0UM3FlW3n5nVzcm2oIr4qtBcNQshh4ufGVC/0SBntGmRFQLg==
-----END CERTIFICATE-----
", "claims_namespace": "rulebook_claims"}'

And i'm getting response:

[error, Could not verify JWT: JWSError (CompactDecodeError "expected NonEmpty a, encountered String")]

What am i doing wrong?

server urgent

Source

aurokk

Most helpful comment

jose-0.8.0.0 was released; includes fix: https://hackage.haskell.org/package/jose-0.8.0.0

frasertweedale on 18 Dec 2018

🎉2 👍2

All 15 comments

I think when you set the key, are you making the whole key into a single line from the usual multi-line file it is? When you do that you should join the lines with a \n. Check out the example keys here: https://docs.hasura.io/1.0/graphql/manual/auth/jwt.html

coco98 on 6 Nov 2018

I tried to replace spaces with “\n” like in example — it’s not working, same result.

P.S.: In Auth0 example certificate presented without \n.

aurokk on 6 Nov 2018

@coco98 @aurokk I checked this out with and without \n. Looks like certificate gets parsed and the server starts correctly both ways.

@ecthiender Can you check out what the error means? I get the same error if I use a random JWT like abcd

shahidhk on 6 Nov 2018

Hey @aurokk I tried to reproduce the issue. If I use the public key given by you and the JWT, I encounter the same error as yours.

But if I use the exact same JWT payload as yours [1], but use a different generated private-public key pairs, I am not facing any errors.

Not sure, why that is, I would need some more time to investigate.

@shahidhk if you use a JWT like abcd you would encounter error like: expected 3 parts, but got 1.

[1]:

{
  "nbf": 1541457465,
  "exp": 1541461065,
  "iss": "http://localhost:5000",
  "aud": [
    "http://localhost:5000/resources",
    "rulebook-api"
  ],
  "client_id": "ios.client",
  "sub": "4d4064d1-c33f-423b-b262-f32ea16964aa",
  "auth_time": 1541457461,
  "idp": "google",
  "scope": [
    "openid",
    "rulebook-api",
    "offline_access"
  ],
  "amr": [
    "external"
  ],
  "rulebook_claims": {
    "x-hasura-allowed-roles": [
      "user"
    ],
    "x-hasura-default-role": "user",
    "x-hasura-user-id": "4d4064d1-c33f-423b-b262-f32ea16964aa"
  }
}

ecthiender on 8 Nov 2018

Hey, @ecthiender

This is how i generate keys:
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout auth_05102018.key -out auth_05102018.crt -subj "/CN=rulebook.app" -days 365

aurokk on 8 Nov 2018

Hey @aurokk , I tried with your above openssl command and with your above payload. I am unable to reproduce the issue.

This is what I did:

Generate new keys: openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout iss983.key -out iss983.crt -subj "/CN=rulebook.app" -days 365 [1]
Go to https://jwt.io and paste both the keys and the payload (in the previous comment). jwt.io generates a token and also mentions signature verified.
Use the following jwt-secret config:

 --jwt-secret '{"type": "RS256", "key": "-----BEGIN CERTIFICATE-----
MIIFDzCCAvegAwIBAgIUdb57AghLIvGoOitLEQEgWr2AcnowDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMcnVsZWJvb2suYXBwMB4XDTE4MTExMjA4MTM1N1oXDTE5
MTExMjA4MTM1N1owFzEVMBMGA1UEAwwMcnVsZWJvb2suYXBwMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAuECqcIib6WACD8lcD15q+50T/47B1XF5Td8p
46h2YL9ioQaaZjc6akYoV76JAJEpJXhmlL89eLXZ4AS+hmVUg/HF/Ols4EwcM0xJ
KtghDjpym5gJBrXk3vwRurvHRk9oKcpbqxf7233jXBsgjc9j9j7U3CbQo2TfCdeq
bBJLWNcAb3dej+m1XU3aE3qQi9zH8k8RzBsPUFer7gV1AYuYuIet5MskJXEV423r
LORFiGYJgY8pHGbo1THRPYSITWQIifwSTAq+isbf1VK/SBwtM84RwzZHbj71EYuL
8ZsDYQ8qTAleF41I40hSPq5v+NYxMsOIhA210sCjz+q9iMGfN+9QOoQuSmnKpdXy
HbOOw7N+vw8lBepx9HgLUdluiinjG5VKBzAfM5l2nR7+UAmShsNW/2kWyNdZBR82
H27Ee8l8swiZqPwIjK41CU3X2TIOMTzHqPlkhNjgmqfDpnBH6zSLqmCwQiRppAuy
PLYlPidK52hsMz1GNUbzKpgLPLkXez7/kzczWLivaFcoMnDEgXZh9jcvkR4rUWtU
tgu3C9OoZWPOp3Xs339c7kE+N+Snq4r4ESKWJbYjIpgVPwP3KvTOMUsCMjPnQtTV
GHNNsOkfEvR6uc3aiWWxLUnS6A/Ciu9u5/1dv4Ap5JZbtGMfCvmsTR5drDQwZYm6
SkJYaq8CAwEAAaNTMFEwHQYDVR0OBBYEFChLuIqG3OgqXjO3AmFmfEI5Uq5LMB8G
A1UdIwQYMBaAFChLuIqG3OgqXjO3AmFmfEI5Uq5LMA8GA1UdEwEB/wQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggIBAF1UXwRjBk7WnNl64Q+q4HeJJIPbnEaa/zM8N99z
vYK7YKBXn8XbztsPVx7u3aQb/O9nB0WDN02uzvg0DRVpWqWuy9JezVvjny9bdRau
3cEmaO9ize83ru8H116bf09TnJbUMRZ8dwq4ZUFo1BbIdmtUWrQoHYzKbtqt8wez
FhoJ/sehFlDetlLpVnWco2oHpxeazSC9JZATUoqyuOaZoX4ewoIOzR8tC1e0yBCc
0YYVGK5wfQLNfBiG5a3lCVlfDvPUfPuxWpmmHesOM4GBqkP38bBCqsPnT08beUtV
uGe++JNGYgQUeQA++jxvKzoljTUuRfS82Kjp5NBq5mUE9YjZ5CWm/zocqI4tiwAT
my1lwB21GBsLnTBLId5J7ZOh7TcGlYwv7brWuQ0UulcJow9wZB8/xzeLuf1rLV3t
HudsCuS0uEhZda1/5qW6VZJ14Uu+3d9o7b9urazn2J6WCk+Sikt9cxBp+uIe0VJp
sfWUAtMQUIoLX7WUJjGtRffq+rI2INwHyheo/7L4Zk7Z07YAfZSVNhCGcGAhblPL
2le+292GuSoRLL3v1w8oOceKx63wBN5lw5buA+SLzqRZUmRQ9IiRVQLvspsNCsUH
dV45Ym/fOTonQ+aA5noO7mkZSWCueVeGvUAoKlJ378I0ly8LY8pl2yRlsETN8qx6
+R18
-----END CERTIFICATE-----
", "claims_namespace": "rulebook_claims"}' --access-key abcd

Make a request with the token generated by jwt.io -> it works fine

[1] the key-pair:

ecthiender on 12 Nov 2018

@ecthiender Hey! i found the problem — when token header contains "x5t" (Identity server adds this field by default) field i'm getting bad response:

{
  "alg": "RS256",
  "kid": "8396657931594AA931C1049B43C79016A7E8C4E1",
  "typ": "JWT",
  "x5t": "g5ZleTFZSqkxwQSbQ8eQFqfoxOE"
}

Token is valid, but response is:

[error, Could not verify JWT: JWSError (CompactDecodeError "expected NonEmpty a, encountered String")]

aurokk on 12 Nov 2018

Thanks for reporting this @aurokk . I will look into it further.

ecthiender on 13 Nov 2018

Hey @aurokk , what identity server are you using? Can you give us a minimal program* to reproduce the issue?

*: or minimal steps including the configuration on hasura, and configuration + code snippets etc. for the auth server that you are using

ecthiender on 23 Nov 2018

Hello, @ecthiender.
I'm using IdentityServer4 last version — https://github.com/IdentityServer/IdentityServer4

I prepared IdS4 + Hasura setup to reproduce the issue
Sources is here https://github.com/aurokk/ids-hasura-auth-problem

Request IdS4 for access token:

curl -X POST \
  https://polar-refuge-51031.herokuapp.com/connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Postman-Token: ca610a04-abbb-4b01-98de-963e86e51190' \
  -H 'cache-control: no-cache' \
  -H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
  -F client_id=ro.client \
  -F client_secret=secret \
  -F grant_type=password \
  -F scope=api1 \
  -F username=alice \
  -F password=password

Request HSE for some data with access token:

curl -X POST \
  https://serene-basin-12094.herokuapp.com/v1alpha1/graphql \
  -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjgzOTY2NTc5MzE1OTRBQTkzMUMxMDQ5QjQzQzc5MDE2QTdFOEM0RTEiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJnNVpsZVRGWlNxa3h3UVNiUThlUUZxZm94T0UifQ.eyJuYmYiOjE1NDMzMjAwMzksImV4cCI6MTU0MzMyMzYzOSwiaXNzIjoiaHR0cDovL3BvbGFyLXJlZnVnZS01MTAzMS5oZXJva3VhcHAuY29tIiwiYXVkIjpbImh0dHA6Ly9wb2xhci1yZWZ1Z2UtNTEwMzEuaGVyb2t1YXBwLmNvbS9yZXNvdXJjZXMiLCJhcGkxIl0sImNsaWVudF9pZCI6InJvLmNsaWVudCIsInN1YiI6IjEiLCJhdXRoX3RpbWUiOjE1NDMzMjAwMzksImlkcCI6ImxvY2FsIiwic2NvcGUiOlsiYXBpMSJdLCJhbXIiOlsicHdkIl0sInJ1bGVib29rX2NsYWltcyI6eyJ4LWhhc3VyYS1hbGxvd2VkLXJvbGVzIjpbInVzZXIiXSwieC1oYXN1cmEtZGVmYXVsdC1yb2xlIjoidXNlciIsIngtaGFzdXJhLXVzZXItaWQiOiI0ZDQwNjRkMS1jMzNmLTQyM2ItYjI2Mi1mMzJlYTE2OTY0YWEifX0.G8U3gsgbckZGDKgKvAjQGLE9ROhzY3sOG_dySgEz-t9lmx9L-8LAaP2IJ8d4ffcOH_7y_QcPAt8aZyeEPFypIy9YSF70LuSIPO2EBQXKkK9WfQa2WTPJQwxWkuga5cx_-j0ROgVrIRUKQsB-ysticsxas74hmgnktF3tGSCMfDhhvmhlAdhX1CS-QR4KgRQZKYl_mOsZo01TuFlM8jlPBgCgOmXBhjpQ4mEyC-Z9kOhVExojzD54RkMnWQ36ZcKCazpbgK263KstbXGoYS3ZU7nRUUnjD8oACJOzL1pdGiAmTab8WLz7k7AdgS2nYOrksVDa-LYztZbD8L-QWBM0K7zx8Y9Z3dSRW6GNFEhPKSjQR8NZxwO711i9qcE6Rpd4cq2T99n2Z7tlRwffx1rM93u9fo0js3UMBcQJVGNqupeoKrowncJdLw-ky-EoGZQRh5vVih0__bqH1o11j0wtrzXymCpWaHErWlvBrT1ORXiy24iiI7nfw4CYJcuTevcsBFfdBAdNdAYAMu2VFC8Czb7WB1cD2E2itnhJ_w4J40PK_Auzx8YswsooqC6liKuKvcfai9mci4XR1Pc2YSer_jka2a8z7aWYHklfqnOauZzSBUA7pylppAWHHs2z_2Q3P3eoqAXeHzuNExl7YYKq_hkwHWVYlKVYJGJaw71bUT8' \
  -H 'Postman-Token: f2fa0da8-3975-49af-9e6b-be3074e88761' \
  -H 'cache-control: no-cache' \
  -d '{
  test {
    id
    name
  }
}'

Get the error:

{
    "errors": [
        {
            "path": "$",
            "error": "Could not verify JWT: JWSError (CompactDecodeError \"expected NonEmpty a, encountered String\")",
            "code": "invalid-jwt"
        }
    ]
}

THIS IS HOW I START HSE:

FROM hasura/graphql-engine:v1.0.0-alpha30

# Enable the console
ENV HASURA_GRAPHQL_ENABLE_CONSOLE=true

# Change $DATABASE_URL to your heroku postgres URL if you're not using
# the primary postgres instance in your app
CMD graphql-engine \
    --database-url $DATABASE_URL \
    serve \
    --server-port $PORT \
    --access-key abcd \
    --jwt-secret '{"type": "RS256", "key": "-----BEGIN CERTIFICATE-----\nMIIEqjCCApICCQCLZRtRKZcpxTANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxy\ndWxlYm9vay5hcHAwHhcNMTgxMTEyMTYyOTU0WhcNMTkxMTEyMTYyOTU0WjAXMRUw\nEwYDVQQDDAxydWxlYm9vay5hcHAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK\nAoICAQCbBu3BlgOBDU9SKC6iroR+1aAEiUerOLwKDi0K4tqAOlXSPSOeRMlwZLMY\nMKDLKgJ2ppYpFrxcm5LDwGSnk2jnw1b2JCDS57sFD3OUK59TxlHyKKmrj2pvxgDT\n2tGy9Fa7ytXWu7t3hZIQJe2DkgbP9wwdKCsfUr91qI/4aFywOu9pnD9/Sz9KQlwl\nCWgOGCF1ctfNPJlzVeUkwCqQ7W66rfrbwg7vBbX4bK0ZpRWai8fw7cAuITFsUgyG\nlQRXidYIflKcS0gTyM4XuyXxC1eRYp/5t+e0L8zDsaShpsNXDlOKsp1PR2Bswsm3\nz1Oz4FoxeqaTR58S00pr8YOhS+2x00+vf64yyLDxOkYem7Z9SNCe5drvYYZi83eZ\nezUWsVP1wpflsH0tIgaas7WIcru6BZDjjxr0fjkb4ttgHdE6gxe/3mdEmWC45Ey6\nRjDuccSg9D/Fru4z3p9p6D2tUj8ftv7wPMQhfrM0bVNUfYVJ6+vQabQEWR4uZeTq\nA2s8KTaKxPB4lCSQdPAQ4zCNkwe7dKAchgNZ5FMSesc5dofgW42ZrHgtOy/4Bmlr\nh4HFqGxaJFxxohyQR65p3jRB2vZ2Es6LZ/ZUheXMUZGJdrciC2Fx+3RV2TuYe5y9\nNzPgOGZPZtAk461kUEMzj6BzV6vHcuZzSa3+S0Fnwe7i9KzMiwIDAQABMA0GCSqG\nSIb3DQEBCwUAA4ICAQB3ZgaMRwykbuFPXFQhcrG2uStwGcnjz/Z/1t9jU8PqtsqK\nyS4yGWIqWKDQUaYtQNIT9BspVR0dG6rmvaUzsbhpeDure7O2Y7dF4LjhJsApOdDx\naw1T2OpU0rG0Ghy0deWuKFwL0wNQKOlxNqGQDFIttITfue8qJqDVtyMseFab/woT\nWeCT6WkbTSaDPSwJQJzQha8kkcaSI+3v0cNhIdJUmCu2u+XumIw0IVWg5nU9f8t5\ntGqLhxNN2CsMqg3gQur/KBqnAZPO79gJJ/fUKbCpp3/iNIJshM5sDz9NNsR1auiL\nu2/HF4WyWwvrI0g8kC/8UxZs3RbcGBH4JuvuzZ6etiMcl5c/rBJjBTxYaWgb3OJX\n5V8hD4Bu3cLbkTy0Gp0X7X9frXvSF60X1bIg/BA//4yBft7Sn7dvIa0WOSqDn01E\n6V1kg8V0zu7X7FEQCoIdlfG6DgVelafBndeNn9brrmfBIMnnyKN+pN+AHp6NsLve\nFROwQ3A60QlCln4QQrcgu4Wb61dQPkfmrwqTG0KyUWerv0v6vXkvS/HOAzR+zsgq\nS0xdGJ5Q0tk+/d185wd8G9msAkjoCgwLHtHO8PEzxmx0dSrBH4oYkqZzd1ZcZF0v\nUIgoD/6ufywgIvsuIrftAGD+3rn+wHwJFYgaMND+vNLxDf8fMnaH1l9cZWHDlg==\n-----END CERTIFICATE-----", "claims_namespace": "rulebook_claims"}'

CERT:

You can download sources and start it by yourself

I think, the problem is in jwt library you using... x5t header seems to be valid (jwt.io says token is fully valid).

aurokk on 27 Nov 2018

Thanks for the detailed response @aurokk . I will get back to you ASAP.

ecthiender on 27 Nov 2018

It's a bug that has already been fixed (https://github.com/frasertweedale/hs-jose/commit/32c3efdba2b3520a8052ba2fe07ab04c073b8ec9) but the fix hasn't made its way into a release yet. I'm planning to release v0.8 next week, which will include the fix for this bug. In the meantime, stripping the x5t field will help :)

frasertweedale on 5 Dec 2018

👍2

@ecthiender Let's point to the commit for hs-jose package in stack.yaml till a new version is released.