Good morning from Sweden!
I am using a setup of s...
# support-questions-legacyl
Lindo (Hannes Colt)
08/10/2023, 6:28 AMGood morning from Sweden!
I am using a setup of supertokens consisting of passwordless (phone verified login) and sessions. My stack also consists of Nest.js and Hasura. I've implemented JWTs according to your documentation, and it has mostly worked really well. However, there's one issue.
Every now and then, all the JWTs generated and sent for verification to Hasura are treated as invalid. When this happens, the only solution I've found is to restart the Hasura instance so that it refetches the JWK via the jwk_url. Once this is done, it starts working again.
It seems that this issue coincides with either an update of the JWK in our backend or a change in our backend deployment to use a newer version. I am assuming that Hasura remains unaware and doesn't attempt to refetch a new valid JWK.
I'm unsure if there's an error in my implementation or if this is a bug. Any help would be appreciated.
r
rp_st
08/10/2023, 6:30 AMhey @Lindo (Hannes Colt) the issue is that hasura does not refetch the new jwks keys when it finds an access token which was signed with a new key. This is an issue on their end, since all other jwt verification services do that (as far as i know).
So solve for this for now, you can enable the use of static keys in session.init on the backend: https://supertokens.com/docs/session/common-customizations/sessions/jwt-signing-key-rotation#using-static-keys-to-sign-access-tokens
l
Lindo (Hannes Colt)
08/10/2023, 6:31 AMAlright, thank you very much for the help!
Lindo (Hannes Colt)
08/10/2023, 6:46 AMI just read up a bit on hasuras handling of JWTS / JWKS and came opon this part:
https://hasura.io/docs/latest/auth/authentication/jwt/#rotating-jwks
Mentioning the required headers to be sent for hasura to be aware of the fact that a refresh needs to happen, are these guidelines something that the jwks endpoint you guys have implemented follows? and if not, is it something I can override and fix?
r
rp_st
08/10/2023, 6:46 AMthis is going to be released next week
l
Lindo (Hannes Colt)
08/10/2023, 6:47 AMAlright, thanks for the headsup!
Lindo (Hannes Colt)
08/10/2023, 7:01 AMI checked the response headers of the jwks.json URL and noticed that the header:
Strict-Transport-Security:
max-age=15724800;
Which is Thursday the second of july 1970 00.00.00
Is there no way for me to override this and fix the header name + max age value to something that works with the actual refresh time and hasura?
My boss was pushing me to see if I could fix this instead of having to wait a week, so I've got to ask: )
According to hasuras docs It will check for a max-age in Cache-Control header, so the requirement would be a name change for the header, I am guessing as well as updating the value of max-age to something that's in line with the actual next refresh of the JWKS.
r
rp_st
08/10/2023, 7:06 AMyou can override the jwks API from our backend SDK and add a max-age of 60 seconds. That would work well.
l
Lindo (Hannes Colt)
08/10/2023, 7:08 AMThank you!
Lindo (Hannes Colt)
08/10/2023, 7:26 AMWhen trying to override I noticed that there where no way to override through the session och passwordless recipies (those are the ones I am using). I found a override for the 'getJWKSGET' in the recipe/jwt. Would implementing and overriding that do what I want? Or do I have to go another route?
r
rp_st
08/10/2023, 7:27 AMi think the session recipe override takes an input for openid override, which takes and input for jwt override which has the getJWKSGET
rp_st
08/10/2023, 7:30 AMsomething like this:
Copy code
Session.init({
override: {
openIdFeature: {
jwtFeature: {
apis: (oI) => {
return {
...oI,
getJWKSGET: async function (input) {
let result = await oI.getJWKSGET!(input);
input.options.res.setHeader("custom-header", "custom-value", false);
return result;
}
}
}
}
}
}
})l
Lindo (Hannes Colt)
08/10/2023, 7:35 AMThank you very much, was struggling with that part! 🙂
Lindo (Hannes Colt)
08/10/2023, 8:00 AMGot everything to work! Super, I've just got a small concern, atm it refreshes the token every 60sec, which would in a worst case scenario mean that our hasura instance could work of an unvalid JWK for up to 59secs, and as such be uncontactable, I don't want to lower this value to 1sec to ensure that it doesn't happen, that feels like pretty bad solution having to check for a new JWK every 1sec,
I noticed something weird in my setup, first was the fact that the header:
Strict-Transport-Security:
max-age=15724800;
Is showing a max-age that is back in the 1970s,
This header also dissappeard when i added the Cache-Control header needed for hasura.
But what I am really wondering is if there's any way I can find out the actual expiration time of the JWK and use that for max-age, as that would eliminate any problems issuing from expired JWKs without having to spam the backend instance with requests.
r
rp_st
08/10/2023, 8:02 AMso once the signing keys have changed, the access token are still signed with the older keys for 60 seconds. Therefore, this should work in all cases.
l
Lindo (Hannes Colt)
08/10/2023, 8:07 AMSo if I understand you correctly there's a 'grace' period for 60sec when both the old signing keys and the new ones work?
Lindo (Hannes Colt)
08/10/2023, 8:08 AMCause otherwise it just moves the problem to the other end of the spectrum, making sure that the new keys won't work for 59sec in a worst case scenario, if I am not mistaken? xD
r
rp_st
08/10/2023, 8:40 AMyea, after the new keys have been issued, they will be avaialble in the jwks endpoint along with the older keys, but they won't be used to sign any access tokens.
l
Lindo (Hannes Colt)
08/10/2023, 8:41 AMWonderful, thanks foe the clearification!
8 Views