Graphql-engine: HASURA_GRAPHQL_JWT_SECRET not working with RS256 in docker-compose

Created on 2 Jan 2019 · 13Comments · Source: hasura/graphql-engine

From docker-compose.yaml
HASURA_GRAPHQL_JWT_SECRET : '{"type":"RS256", "key":"-----BEGIN PUBLIC KEY-----[mypublickey]-----END PUBLIC KEY-----"}'

Fatal Error: JWT conf: Error in $: Invalid JWK: Could not decode PEM: invalid PEM delimiter found

Am I doing something wrong?

question

Source

jakobrosenberg

Most helpful comment

@jakobrosenberg This is typically a quoting/newline error. Can you use https://hasura.io/jwt-config and generate the value with proper escaping etc. and try again?

shahidhk on 3 Jan 2019

👍4

All 13 comments

@jakobrosenberg This is typically a quoting/newline error. Can you use https://hasura.io/jwt-config and generate the value with proper escaping etc. and try again?

shahidhk on 3 Jan 2019

👍4

That works. Is it possible that HASURA_GRAPHQL_JWT_SECRET only works with certificates and not public keys?

If I generate a public key in FusionAuth (RSA using SHA-512, key length 4094)

and regreplace \n with \\n

and then add this to my docker-compose.yaml

HASURA_GRAPHQL_JWT_SECRET : '{"type": "RS512", "key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqP99HwMbm5YGJH9SyNkkD\noJFiwpbjrs/eFf6Lakzi6tAaLIsAid3vBfLnNvI1cIsIP+qDx7YurGl+ak8QfOwOk\nnX4P9QRDzBwNtM1zVFERiaIHG9n14Sr2p4I9qC05r0qiiewQNyKUUjTAy/LwqGLGm\nucsgTwD7UJvZchwSVNwCM63ZouUdgsgmbUiQ4mF+luu9t27z30mfz9WxwgVAzGcC5\n6yIV15pqS6Vda79lWMjmQmIYeMlwbwtSw7cyP+ZBh1OkXXvYgE/XWdefO+gDGjUkr\nS1dkk/4Qs6UYe9eNBdqpump34tu/ClDQAJVzWf5fuilNInr5K1GT9TLVLuSCoaApi\nAnIL7YdnmP3CwFLWainGKwbJjisIGmO6z4Q2p8zoNw0z5TiD326UyBuLmEdXfWLdY\ngIK3nqqMh69her2K7FNnvvg8rFwhvXdrFFnYm6F07wi+GeScH1fEKm7xAd50p1/ES\nlSweyQYzKPvzkKYZcqi/Quygbh9pIVLaBGj6lp1n9Yg2wtOdSR7X0D1WNSNuAOZsl\nQt25Gl/Nb+fYURNHCKS9T1A22dX+9QGlN5S+dWMOnHPtCcxNTpcTibD8hcfbI9o8F\nEdOfUNT0eM/YKPE9t/vGS5rAPbzWlXOSJU0aI+LXAEmwm3bONvuBg2VJxOfwbtEP5\nqBIyL3kr5oYcCAwEAAQ==\n-----END PUBLIC KEY-----\n"}'

I get

Fatal Error: JWT conf: Error in $: Invalid JWK: Could not decode PEM: invalid PEM: decoding failed: base64: input: invalid length invalid PEM: decoding failed: base64: input: invalid length

jakobrosenberg on 3 Jan 2019

Yes, as mentioned here,

key

In case of symmetric key (i.e. HMAC based key), the key as it is. (e.g. - “abcdef…”).

In case of asymmetric keys (RSA etc.), only the public key, in a PEM encoded string or as a X509 certificate.

shahidhk on 3 Jan 2019

Thank you for your help @shahidhk .

For anyone else with this problem, my solution was to decode the public key to XML and then reencode it to PEM.
https://superdry.apphb.com/tools/online-rsa-key-converter

jakobrosenberg on 3 Jan 2019

👍2

I´m running into the same error with my Kubernetes deployment.yml.

According to the documentation we have two possibilities declaring a public key

In case of symmetric key (i.e. HMAC based key), the key as it is. (e.g. - “abcdef…”). The key must be long enough for the algorithm chosen, (e.g. for HS256 it must be at least 32 characters long).

In case of asymmetric keys (RSA etc.), only the public key, in a PEM encoded string or as a X509 certificate.

So as our key is RS256 I´ve set that as the type and attached the key within the Json.

      containers:
        - image: hasura/graphql-engine:v1.0.0-beta.9
          imagePullPolicy: IfNotPresent
          name: hasura
          env:
            - name: HASURA_GRAPHQL_DATABASE_URL
              value: postgres://hasura:[MASKED]@192.168.22.11:5432/
            - name: HASURA_GRAPHQL_ENABLE_CONSOLE
              value: "true"
            - name: HASURA_GRAPHQL_ENABLED_LOG_TYPES
              value: "startup, http-log, webhook-log, websocket-log, query-log"
            - name: HASURA_GRAPHQL_JWT_SECRET
              value: '{"type": "RS256","key": "TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFxOXBSeGY0TEtTcVErT1FGMDNXdVIrY21kRThYOFd1ZjVVQ3N1T1ZwNVlqM25vWFdZVnFhMUcrOTFhamJxUEVCZkEwWTljcW1CaWVJb0Z1UVdqZURlSnIvL0dJdjNnQXNtMEZQMzhleHgvMEFtMm1lQWhrdzltVVFaYUxOcStvSHZyUDdMUEIvOTNoNnBpUUVHak9rZXQyOEoyQW5pVDlpU2JadTNBZnNFNUdrN0hhZ2xZZWp3ZjlFTjRGdVM2UjVyU2lOeTRPemNBSExpbHVUVUMzQURSZjQ0alQ4end0UDdxOUk2aTB5aUVJeUR4Wlc4NHF6SGlyU1pWUEVqc0hheTNCNXpYK3NFdVhERythc1phMDdDWm1LL1Q0NGZoUWdhdnp3eG9ZMEw1N0RKYmtJUFk3WjFsUlJIL1E2UmlBS2FzQUR2THVRNzBRQzRzWEFRa2x3SlFJREFRQUI=","claims_namespace": "hasura","claims_format": "json"}'
          ports:
            - containerPort: 8080
              protocol: TCP
          resources: {}

Producing:

Fatal Error:- Environment variable HASURA_GRAPHQL_JWT_SECRET: Error in $: Invalid JWK: Could not decode PEM: No pem found No pem found

I´m not sure why it is expecting a PEM key anyway, although it seems to be an optionality.

However I´ve tried the same with our PEM key as well which leads to the same error.

It is unclear to me what´s the issue.

The solution of @jakobrosenberg to convert it to XML and back to PEM with the converter provided is meaningless, as the result is the same in my case.

I would appreciate any help / clarification with this issue. Thanks in advance

mklueh on 5 Nov 2019

@mklueh

'{"type": "RS256","key": "TUlJQklqQU5CZ2txaGtp......"}

The above key is not in a valid format. The docs mention, it has to be either in PEM format or x509 certificate format. See examples here: https://docs.hasura.io/1.0/graphql/manual/auth/authentication/jwt.html#rsa-based

Let me know if this helps.

ecthiender on 5 Nov 2019

@ecthiender
I agree, the key above is not in the PEM format, however I´ve tried the same with our PEM formatted key from the .pem file

      containers:
        - image: hasura/graphql-engine:v1.0.0-beta.9
          imagePullPolicy: IfNotPresent
          name: hasura
          env:
            - name: HASURA_GRAPHQL_DATABASE_URL
              value: postgres://hasura:[MASKED]@192.168.22.11:5432/masterdata
            - name: HASURA_GRAPHQL_ENABLE_CONSOLE
              value: "true"
            - name: HASURA_GRAPHQL_ENABLED_LOG_TYPES
              value: "startup, http-log, webhook-log, websocket-log, query-log"
            - name: HASURA_GRAPHQL_JWT_SECRET
              value: '{"type": "RS256","key": "-----BEGIN PUBLIC KEY-----
                                               MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7gtigpr8za0aY4pl5KVE
                                               93FPfwk9lfF9OX1QtMCP8fEm1aQL3SqNBlf+pRC2/TW0p5U5XcfFO/YLVMKzGpEG
                                               XD85SFyQbHUIoBswY6y4HswmeLA2/O+/Jo6guiPriXWpq4QS6arJgdCr+LGsphq3
                                               sY/Lxr8YOJWbCpM8UoR4foF580ixnfKSY41sHneTF9GwQyv1zt8uJ9MviBZpvCS1
                                               1wC7K81q0mPyM5QGBSdLDvTLizf4htOEQufRVzF7e4n2zFsnLXgmlyUFLRW/DOBV
                                               /lr1O7IO5WVRNf4M8x5pmtsG2dDJ9RBogx+s3cibkcwzPJuLd/Hru9CoCtMAEMnh
                                               7wIDAQAB
                                               -----END PUBLIC KEY-----","claims_namespace": "hasura","claims_format": "json"}'
          ports:
            - containerPort: 8080
              protocol: TCP
          resources: {}

I´ve tried that with spaces, with no spaces, as a single line without line breaks etc and it always produces

Fatal Error: JWT conf: Error in $: Invalid JWK: Could not decode PEM: invalid PEM delimiter found

EDIT:

Got it working now by changing a few things:

Added line breaks again
Changed the type to "RS512"
Added HASURA_GRAPHQL_ADMIN_SECRET

Thank you anyway :)

 - name: HASURA_GRAPHQL_ADMIN_SECRET
              valueFrom:
                secretKeyRef:
                  name: hasura-secrets
                  key: hasura-admin-secret
            - name: HASURA_GRAPHQL_ENABLED_LOG_TYPES
              value: "startup, http-log, webhook-log, websocket-log, query-log"
            - name: HASURA_GRAPHQL_JWT_SECRET
              value: '{"type": "RS512","key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7gtigpr8za0aY4pl5KVE\n93FPfwk9lfF9OX1QTMCP8fEm1nOL3SqNBlf+pTC2/TW0p5U5XcfFO/YLPMKzGpEG\nXD85SFyQbHUIoBswY6y4HswneLA2/O+/Jo6guiPriXWpq4QS6arJgdCr+LGsphq3\nsY/Lxr2YOJWbCpM8UoR4foF580jxnfKSY41sHneTF9GwQyv1zt8uJ9MviBZpvCS1\n1wD7K81q0mPyM5QGBSdLIvTLirf4htOEQufRHzH7e4n2zFsnLXgmlyUFLRW/DOBV\n/lr1O7IO5WVRNf4M8x5pmtsG2dDJ9RBogx+s3cibkcwzPJuLd/Hru9CoCtMAEMnh\n7wIDAQAB\n-----END PUBLIC KEY-----","claims_namespace": "hasura","claims_format": "json"}'

mklueh on 5 Nov 2019

👍3

facing with this error again. previously working config (generated via: https://hasura.io/jwt-config) is started causing the error. kinda stuck with what to do. any idea?

hasura version: v1.0.0

k8s env versions:
Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.0", GitCommit:"70132b0f130acc0bed193d9ba59dd186f0e634cf", GitTreeState:"clean", BuildDate:"2019-12-13T11:52:32Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.6", GitCommit:"96fac5cd13a5dc064f7d9f4f23030a6aeface6cc", GitTreeState:"clean", BuildDate:"2019-08-19T11:05:16Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}

denizkenan on 2 Jan 2020

@denizkenan Have you checked out the line delimiter?

shahidhk on 3 Jan 2020

@shahidhk : Thank you for the reply.
_Config not the cause of the problem.
It still works flawlessly if Hasura is launched using docker-compose.
It used to work with our Kubernetes cluster as well._

So far:
-Used to work with same config, hasura version, kubetctl version
-Stopped working with k8s v1.14.6 AKS (Azure Kubernets Service).
-Not working still with different kubectl version, hasura version, different platform(macosx, linux) against same k8s cluster

Possible cause:
We suspect that Kubernetes version in question does not like the way it is suggested to use jwt config.

Next steps:
We will change k8s version and try again. if it fails,
We will try with different methods(yaml format, load from configmap, load from secrets etc..).

denizkenan on 3 Jan 2020

Ok, problem was related with our tooling.
$(echo sed ...) was replacing new line character with a weird character(that looks like a space character). changed the way sed is used(avoiding any echo sed) and problem is solved.

denizkenan on 3 Jan 2020

Also, if trying to use the jwk_url with Auth0 it will not work (currently) as noted in the know issues here: https://docs.hasura.io/1.0/graphql/manual/auth/authentication/jwt.html#auth0