You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/10/19 05:47:24 UTC
[GitHub] [apisix] feipengheart opened a new issue #5281: request help: jwt-auth设置公钥和私钥,请求到的token不能用
feipengheart opened a new issue #5281:
URL: https://github.com/apache/apisix/issues/5281
### Issue description
jwt-auth设置公钥和私钥,请求到的token不能用,返回{"message":"Decode secret is not a valid cert\/public key: no start line"}
设置如下:
{
"username": "kerouac",
"plugins": {
"jwt-auth": {
"algorithm": "RS256",
"disable": false,
"exp": 86400,
"key": "user-key-test",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBPAIBAAJBAIw48ajnqOsJSTBtg84hHI1bvezI/rV/mwNZ7JT0nie/UAAJ6/XO\nJmj+GpQU8KQ4TivWtdUy++U9DdQMvnVCyD8CAwEAAQJAaGhmGBwWPJu3cWW6BJvH\nBMJQ0qR+c2pGY+JrNCZHzBCegBQYYHakeBAAkdqrE7kB2pDbk5Q4Wh8ZIR8ICt3X\nYQIjAIyzjudud40fDwJnHDdErccF3yDYzi6QnRyJnd5RSmsL/XkCHwD/IOinAetg\nhm001bjHLIOQmJbzDk6IQVd8zvyzXXcCIn5WsOfQglreW5zdtzFNYvkFpbAZ3TFk\nux6n13CL79WlI4kCHlKha/i7TGrE3xXfqqsHpcztPuaV2aWT1CweNgY53QIjAIoU\nJuW/0F0G9rY2LCEoxer2AXtriP1CQ4ImNSKgl0hTSPU=\n-----END RSA PRIVATE KEY-----",
"public_key": "-----BEGIN RSA PUBLIC KEY-----\nMEgCQQCMOPGo56jrCUkwbYPOIRyNW73syP61f5sDWeyU9J4nv1AACev1ziZo/hqU\nFPCkOE4r1rXVMvvlPQ3UDL51Qsg/AgMBAAE=\n-----END RSA PUBLIC KEY-----"
}
}
}
请求token:
报错:
### Environment
- apisix version (cmd: `apisix version`):
- OS (cmd: `uname -a`):
- OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
- etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
- apisix-dashboard version, if have:
- the plugin runner version, if the issue is about a plugin runner (cmd: depended on the kind of runner):
- luarocks version, if the issue is about installation (cmd: `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] feipengheart commented on issue #5281: request help: jwt-auth设置公钥和私钥,请求到的token不能用
Posted by GitBox <gi...@apache.org>.
feipengheart commented on issue #5281:
URL: https://github.com/apache/apisix/issues/5281#issuecomment-946388017
私钥在使用token的时候如何加密签名,能否告知下
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] feipengheart commented on issue #5281: request help: jwt-auth设置公钥和私钥,请求到的token不能用
Posted by GitBox <gi...@apache.org>.
feipengheart commented on issue #5281:
URL: https://github.com/apache/apisix/issues/5281#issuecomment-946387657
help!help!help!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #5281: request help: jwt-auth设置公钥和私钥,请求到的token不能用
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #5281:
URL: https://github.com/apache/apisix/issues/5281#issuecomment-946697010
take a look at:https://github.com/apache/apisix/blob/50fed630823bb3c562f411d7cb5f5d38218348fb/t/plugin/jwt-auth.t#L702-L749
what is `BEGIN RSA PUBLIC KEY`? I think it should be `BEGIN PUBLIC KEY`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] feipengheart commented on issue #5281: request help: jwt-auth设置公钥和私钥,请求到的token不能用
Posted by GitBox <gi...@apache.org>.
feipengheart commented on issue #5281:
URL: https://github.com/apache/apisix/issues/5281#issuecomment-946388164
> 私钥在使用token的时候如何加密签名,能否告知下
Could you please tell me how to encrypt and sign the private key using token
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #5281: request help: jwt-auth sets the public and private keys, and the requested token cannot be used
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #5281:
URL: https://github.com/apache/apisix/issues/5281#issuecomment-946843735
> 即,如果令牌给了其他人,它也可以访问API
Yes, JWT is designed to do so.
> 我认为私钥由客户端用于令牌加密,然后JwT-Auth可以使用公钥或签名对其进行解密,但事实并非如此。
I don't want to discuss this. JWT generation and validation should be done by the server.
> 公钥和私钥似乎没有任何作用。
The private key is stored in the place where the JWT is issued, and the public key is stored in the place where the JWT is verified, so as to effectively prevent the private key from being leaked.
> 有没有办法解决这个问题,比如给用户一个私钥,只有拥有私钥的用户才能使用有效的令牌访问API
what is the difference between this and username password login. It is actually possible to achieve.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] feipengheart commented on issue #5281: request help: jwt-auth设置公钥和私钥,请求到的token不能用
Posted by GitBox <gi...@apache.org>.
feipengheart commented on issue #5281:
URL: https://github.com/apache/apisix/issues/5281#issuecomment-946775630
这是可以的,但我发现了一个新问题,即,如果令牌给了其他人,它也可以访问API。我认为私钥由客户端用于令牌加密,然后JwT-Auth可以使用公钥或签名对其进行解密,但事实并非如此。在请求令牌之后,直接将令牌添加到头以访问API。公钥和私钥似乎没有任何作用。有没有办法解决这个问题,比如给用户一个私钥,只有拥有私钥的用户才能使用有效的令牌访问API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] feipengheart commented on issue #5281: request help: jwt-auth设置公钥和私钥,请求到的token不能用
Posted by GitBox <gi...@apache.org>.
feipengheart commented on issue #5281:
URL: https://github.com/apache/apisix/issues/5281#issuecomment-946773067
> take a look at:
>
> https://github.com/apache/apisix/blob/50fed630823bb3c562f411d7cb5f5d38218348fb/t/plugin/jwt-auth.t#L702-L749
>
> what is `BEGIN RSA PUBLIC KEY`? I think it should be `BEGIN PUBLIC KEY`.
It is ok, but I found a new problem, that is, if the token is given to others, it can also access the API. I thought that the private key is used by the client for token encryption, and then JwT-Auth can decrypt it using the public key, or signature, but the fact is not so. After requesting the token, add the token directly to the header to access the API. The public and private keys do not seem to have any effect。Is there any way to solve this problem, such as giving the user a private key, and only the user who has the private key can access the API with a valid token
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org