Is it possible to generate and decode a JWT token using Vault?
1,824 views
Skip to first unread message
Jorge Luna
Mar 27, 2019, 1:37:34 PM3/27/19
to Vault
Currently I know that it supports JWT authentication, and it provides a functionality to sign a hashed input and return the output as a JWS, the problem here is that the input cannot be reversed later
What I really want is to be able to create the JWT token with the encrypted input and then be able to decode it, only using Vault without the need of any external tools/packages
What I really want is to be able to create the JWT token with the encrypted input and then be able to decode it, only using Vault without the need of any external tools/packages
jmls
Jul 16, 2019, 11:39:17 AM7/16/19
to Vault
I have the same question - has anyone managed to achieve this ?
Jim Kalafut
Jul 17, 2019, 12:44:04 AM7/17/19
to Vault
There isn't a generic JWT generator/decoder in Vault. There's some interest in this, and we've recently added some related capabilities as part of the identity tokens for 1.2, but currently the JWS signatures in transit are the closest general purpose support. The JWT structure is pretty simple and the JWS capability mentioned can be used to make a JWT. I've include a sample script at the end in case someone is trying to use Vault for this since the construction steps aren't obvious.
In the original post the goal was to use only Vault for encoding and decoding the JWTs. If the problem is scoped that way, can't transit just be used directly to sign/encrypt/verify the data?
Regards,
Jim
Sample steps to make a JWT using Vault:
# JOSE header and JWT payload
HEADER='{"alg": "ES256","typ": "JWT"}'
PAYLOAD='{"sub": "1234567890","name": "John Doe"}'
# Create a key in Vault.
vault write transit/keys/mykey exportable=true type=ecdsa-p256
# Prepare header and payload for signing
HEADER_B64=$(echo $HEADER | openssl base64 -A)
PAYLOAD_B64=$(echo $PAYLOAD | openssl base64 -A)
MESSAGE=$(echo -n "$HEADER_B64.$PAYLOAD_B64" | openssl base64 -A)
# Sign the message using JWS marshaling type, and remove the vault key prefix
JWS=$(vault write -format=json transit/sign/mykey input=$MESSAGE marshaling_algorithm=jws | jq -r .data.signature | cut -d ":" -f3)
# Combine to build the JWT
JWT="$HEADER_B64.$PAYLOAD_B64.$JWS"
printf "\nJWT:\n"
echo $JWT
# Export the the key and print out the public key portion
vault read -format=json transit/export/signing-key/mykey/1 | jq -r '.data.keys."1"' > /tmp/privkey
printf "\nPublic Key:\n"
openssl ec -in /tmp/privkey -pubout 2>/dev/null
# You should be able to successfully decode the JWT on https://jwt.io
Reply all
Reply to author
Forward
0 new messages