Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Title
l
Leonxx
10/07/2022, 8:52 AMHello. guys. I have a question about microservice JWT verification. Been following through the docs but still didn't understand
p
porcellus
10/07/2022, 8:53 AMhi. ask away 🙂
l
Leonxx
10/07/2022, 8:55 AMThis is from your docs.
my question is it can be used.
jwt should be taken from headers?
p
porcellus
10/07/2022, 8:58 AMThe most straightforward way to do machine-to-machine auth is the authorization header I'd say.
just to clarify: this is between two of your microservices?
l
Leonxx
10/07/2022, 9:01 AMyes.
p
porcellus
10/07/2022, 9:01 AMSo yeah, I'd use an authorization header to transfer this token between them.
l
Leonxx
10/07/2022, 9:06 AMyes I understand that. give me a sec I will try something
I send a request from UI. I receive data and forward this request with generated JWT token to MS. I receive this JWT and I hve trouble with verifing it
Thos are headers that I receive on MS
p
porcellus
10/07/2022, 10:09 AMhow are you sending/parsing this header? I'm just guessing but you might be missing a base 64 decode while parsing it.
l
Leonxx
10/07/2022, 10:10 AMthere is nothing said about base 64
jwt I should get from headers.authorization right?
p
porcellus
10/07/2022, 10:12 AMsure, but the authorization header in your screenshot looks like it has been base 64 encoded
l
Leonxx
10/07/2022, 10:13 AMI'm using your library and nothing more
p
porcellus
10/07/2022, 10:14 AMcan you show me how you make the call to the other microservice?
or how you are adding the authorization header?
oh I see. the screenshot was just cut off weirdly and I missed "."s
what goes wrong while verifying it?
also, you can copy and paste the token into jwt.io to check
l
Leonxx
10/07/2022, 10:24 AMtoken is not valid
token generated by createJWT is not walid in jwt.io
p
porcellus
10/07/2022, 10:25 AMhmm, could you paste the token here?
l
Leonxx
10/07/2022, 10:26 AMeyJraWQiOiI0NTg5NDcxYS1lMDQ1LTQ3ZGQtOGY3NC1lNjFlNDNkOTVmODEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJkYXRhIjoic2RmIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwic291cmNlIjoibWljcm9zZXJ2aWNlIiwiZXhwIjo0ODE4NzM4MzczLCJpYXQiOjE2NjUxMzgzNzJ9.EgOymmM2uuaSIe09P6jAWIaI6Pg6M1mvF8KF1XqKN0_MpF3ZdTbKB_5KoQtYrQqX567x-Xqu55IAgRhyA9RC0XD3aXekOkRW5TsnCq1dK_xPKK-pdVGpNtAgSDMdj99worepk8qIBKQYkU68RG_DauGbCUDzRFV4Rb-dk6xObFv0GxEcIU3pMz45ynPqIWZwexIWy2i-W7flUdq-AYugzoZlR_qGLnjnvQkrQIi8UTiadsTQFUfCwJYODKsuT0Rqz9o2qJ7ghFf9IcxqJX7A-8EdsIKj1r2K5RMGtPyOr4PyZ4oQpJdaJTAdTT_i0hcY7fQJTO8OQ6MI7g2bg1hSdQ
p
porcellus
10/07/2022, 10:27 AMpasting this seems to be working for me
I mean they can't check the signature of course, because they'd need the jwks endpoint of backend to do that.
l
Leonxx
10/07/2022, 10:29 AMSo it should be invalid then?
p
porcellus
10/07/2022, 10:29 AMthe signature checking won't work on jwt.io if you don't copy/paste your keys, that's correct. but on the right you should be able to see your data decoded.
l
Leonxx
10/07/2022, 10:30 AMyes that I saw
p
porcellus
10/07/2022, 10:30 AMwhat goes wrong/what exception are you getting while verifying the token?
can you also show how you are doing that?
right, so please try and log the value of the jwt before calling verify.
what I think you'll find is that you didn't cut off the "Bearer " prefix
l
Leonxx
10/07/2022, 10:34 AMnope I didn't
but in this case should I send this prefix?
p
porcellus
10/07/2022, 10:34 AMthat's the standard way of doing it. but you don't really need it.
it's between your own microservices... so it's your call.
l
Leonxx
10/07/2022, 10:37 AMOk i does work
p
porcellus
10/07/2022, 10:38 AMgreat 🙂
l
Leonxx
10/07/2022, 10:40 AMso it will be cool if you add that to your docs that user don't need to use bearer or the need to cut of that or just include siome function that will cut of that bearer for the user
Overall I am still learning supertokens and I'm pretty happy about that. But docs sometimes are not straight forward
p
porcellus
10/07/2022, 10:41 AMany feedback and suggestions are welcome 🙂
I'm not sure where we'd add this advice, since we never recommend adding the bearer prefix (or offer advice on how you can transport this between microservices I think)
ooh, right. I was looking at the main jwt docs, not the microservice specific ones. I thought the search function worked across these recipes
I'll open an issue about this in our docs repo or you can open one as well if you'd like to track this 🙂