feat: support jwt signing keys for local auth#3841
Conversation
Pull Request Test Coverage Report for Build 16416756141Details
💛 - Coveralls |
hf
left a comment
There was a problem hiding this comment.
Looks OK to me, however you may want to explore a jwk library if you want.
|
Maybe the default output format should be the key, while passing another parameter to give you the config.toml setting? Reason being this command can be used for people who want to import a private key they control. |
generate-key cmd for generating jwt signing keyse23950b to
edf8d7e
Compare
f6a01d7 to
0cbcee0
Compare
| } | ||
| out = f | ||
| } | ||
| jwkArray = append(jwkArray, keyPair.PrivateKey) |
There was a problem hiding this comment.
@cemalkilic do we need to show or save the public key to user?
There was a problem hiding this comment.
I think at this point, no.
|
|
||
| // Add JWT keys from file if configured | ||
| if keysData, err := utils.Config.Auth.GetSigningKeysData(fsys); err == nil && keysData != "" { | ||
| env = append(env, "GOTRUE_JWT_KEYS="+keysData) |
There was a problem hiding this comment.
@cemalkilic can we add the jwks parsed from line 148 directly here?
"GOTRUE_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
"GOTRUE_JWT_KEYS=" + jwks,
There was a problem hiding this comment.
No, that jwks is consumed by the other services (storage, realtime etc) to accept tokens from the third party auth (docs).
Supabase Auth server shouldn't serve the JWKS of the third party auth providers.
62c58f7 to
df6a75f
Compare
|
is there an easy way to track when this will be available as docker gotrue image? Happy to instantly use it ;-) |
|
@logemann It seems to be working for me after installing the I'm now also getting an error when trying to use the js client with a "service role key", but JWTs are working well with the JWKs. |
|
@traviswimer Did you figure out a solution to the service role key not working? That's blocking me now. I keep getting "JWSError JWSInvalidSignature" errors when using it via the js-client |
|
@marcfrankel yep, you can generate your own JWT and use it as the service role key, but hopefully Supabase eventually provides a more streamlined solution. For now anyway, you can use In my case I used a node script with the jose library, so something like this: import { importJWK, SignJWT } from 'jose';
import jwks from './signing_keys.json';
const jwk = jwks[0];
delete jwk.key_ops;
const privateKey = await importJWK(jwk);
const jwt = await new SignJWT({ role: "service_role" })
.setProtectedHeader({ alg: "ES256", kid: jwks[0].kid })
.setIssuedAt()
.setIssuer("supabase")
.setAudience("authenticated")
.setExpirationTime("30d")
.sign(privateKey);I'm not sure why, but the When signing the JWT, you can set the expiration to whatever you like, but the strings used for the other fields are what supabase expects in a service role key. This is just the solution that worked for me. I have no idea if it is what the Supabase team would recommend, but since these are local JWTs that can't be used in production, I'm not too worried about it. |
|
Hey folks, sorry for the inconvenience. Working on the fix now to make it work with secret role keys. BTW @traviswimer that's a nice approach and the root cause! With current implementation, we sign the anon/service role keys with JWT secret and auth server is failing to validate them as it doesn't know about the JWT secret anymore. edit: solved in #3969, will be available soon with a version release. thanks for bearing with us! |
|
On cli v2.39.2 I am getting Error status 400: {"statusCode":"403","error":"Unauthorized","message":""alg" (Algorithm) Header Parameter value not allowed"} |
What kind of change does this PR introduce?
command to generate jwt signing keys & spin up auth server with the configured JWK keys
Steps
supabase gen signing-key ES256signing_keys_pathline in theconfig.toml.http://localhost:54321/auth/v1/.well-known/jwks.jsonCommand output
Run with
--appendflag