Postgrest: JWSError JWSInvalidSignature (secret > 32 chars)

Created on 7 Oct 2018  Â·  8Comments  Â·  Source: PostgREST/postgrest

Hey all and thanks for this great project!
I'm trying to authenticate using an JWT from Auth0 and I keep getting JWSError JWSInvalidSignature.

Here is some information that may help you help me :)

  1. I'm using the client_secret taken from the application section in auth0 (not base64). Is it the right place to take the secret from?
  2. I used jwt.io to validate: I entered the retrieved access token and the secret and I get that the signature is verified.
  3. I'm running postgrest through docker, with the environment variable PGRST_JWT_SECRET with the same client secret.
  4. I've also specified PGRST_ROLE_CLAIM_KEY and PGRST_JWT_AUD but I don't think it is related to the problem.

I will really appreciate any help with this one.

All 8 comments

What signature algorithm are you using? If it's RS256 you might need to add the public key as the jwt-secret instead of the private/secret key.

In case of RS256, check this comment https://github.com/PostgREST/postgrest/issues/1130#issuecomment-400220291, run the script(replace auth0 domain with yours) and then you can specify jwt-secret = "@rsa.jwk.pub" in the postgrest config file.

Thanks, It was indeed RS256, and that approach helped.

Glad it worked out! Btw, we have an open issue for an Auth0 quickstart guide:

https://github.com/PostgREST/postgrest-docs/issues/85

Linking it just in case you feel like helping us :)

@steve-chavez sorry to bring you back to this, but I find myself in a bit of a pickle.

I am using docker to run postgrest. I find myself in a similar situation as @Ronsho, and I see how he likely resolved his issue. My issue is that whenever I put the literal string (escaped quotes of course) from the suggestion you linked in for the PGRST_JWT_SECRET like referenced in the Asymmetric Keys section of the documentation, I still get the error referenced here. This is the approach I'm mimicking from the docs:

PGRST_JWT_SECRET: "{ \"alg\":\"RS256\", … }"

I've tried several variations of the above in regards to escaping and wrapping with quotes.

Is there something I'm missing? A caveat here is that I'm setting up an Angular application that solely uses Auth0 to authenticate with PostgREST, so I'll definitely write up a quickstart guide as I've had to jump all over the place in comments on issues and the google to get this all figured out. This is my last hurdle!

Forgive me if it's something simple. Been at this for several hours today :)

@steve-chavez please disregard the above, I figured it out! I will be contributing to the documentation soon to outline the process of getting Auth0 + PostgREST working (with docker, at least) and full OIDC in full.

Basically, I ended up mounting the rsa.jwk.pub file generated from your method above to the docker container, then used the binary file reference like suggested elsewhere in the docs:

PGRST_JWT_SECRET: "@/some/mount/point/rsa.jwk.pub"

Thanks!

@collinwhite Glad you could figure it out, I was just about to recommend that. Quoting the secret as a string is indeed not working, thank you for pointing that out. I'll await your PR on the docs :).

Edit: Escaping the jwk in PGRST_JWT_SECRET does work but it's really error-prone, I also wasted some time figuring out why it didn't work for me and turns out that my zsh config stripped an f char from the key.

@steve-chavez holy cow I use zsh and I bet that's what was happening to mine. Good to know. I'll include it in my writeup with the caveat that it seems to be error prone. No sense in using it really IMO when the binary file works fine. Only hiccup there would be if the user can't mount a volume for some reason.

Thanks for the note!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

daurnimator picture daurnimator  Â·  5Comments

msalvadores picture msalvadores  Â·  4Comments

ACPK picture ACPK  Â·  5Comments

begriffs picture begriffs  Â·  3Comments

kishyr picture kishyr  Â·  3Comments