Cookie description in documentation about nginx-jwt-module HOT 35 CLOSED

Ok, as you can see now, your server send back the two variables, and it's fine... Dbg-Cookie-Lt-Jwt sends back the good value...

can you try to add auth_jwt off; int the http context ? I wonder if it may be related to #2.

from nginx-jwt-module.

#2 is fixed, closing this issue.

from nginx-jwt-module.

You should try to mark your configuration locations to be sure that it isn't the problem:

server {
    add_header dbg-uri $uri;
    add_header dbg-loc "server";
    location = /application {
        add_header dbg-loc "application";
    }
    location = /api {
        add_header dbg-loc "api";
    }
}

from nginx-jwt-module.

Ok I can reproduce it now, I will dig this soon !

from nginx-jwt-module.

Thanks a lot to contributing, I have seen your patch but there is a problem with it: two tests are failing.
I wanted to avoid a copy of the string, but as this leads to a bug, I will replace the char**token by a pointer on a ngx_str structure.

from nginx-jwt-module.

Well, it can be a cookie as it can be anything:
In the documentation $cookie_MyCookieName refers to the nginx's dynamic cookie vairable.
So if you want to check a cookie named 'jwt' you'll have to set auth_jwt to "$cookie_jwt".
There is some examples in the test file where the cookie is named "rampartjwt"

from nginx-jwt-module.

Thanks, yeah for some reason I can't get the cookie option to work in the browser. The weird thing is that it works via curl. In my test setup I have two locations in nginx - something like this:

server {
    auth_jwt off;
    auth_jwt_key "AUTH0_CLIENT_SECRET";
    [...]
    location = /application {
        auth_jwt $cookie_lt_jwt;
        root /usr/src/static;
        try_files /application.html =404;
    }
    location = /api {
        # just turning it on will expect the JWT in the header
        auth_jwt on;
        root /usr/src/static;
        try_files /application.html =404;
    }
}

Using the same JWT, I was able to successfully access both with curl, but can never get through to the /application location in the browser. I tested this via:

curl https://some.page.com/api -H "Authorization: Bearer ey......." ✅
curl https://some.page.com/application --cookie "lt_jwt=ey......." ✅

But when I actually navigate to the page, I can confirm the same cookie is stored in the browser, but I am still getting 401 unauthorized and an error in the nginx error.log regarding parsing of the JWT.

Can you possibly think of any reason, why nginx wouldn't be able to pickup / parse that cookie correctly in the browser, while it appears to be working fine with curl?

from nginx-jwt-module.

I would look at the underscore.
try to debug it with something like:

location = /api {
    return 200 "cookie is $cookie_lt_jwt";
}

Edit: nope, just tested it it works fine with underscores...
What is the URL you tried in the browser ?

from nginx-jwt-module.

You are welcome to try it out here: https://my.login-test.com [Update: this link won't work anymore]

There is a flask (python) server running underneath nginx for the login part, which is roughly based on the auth0 python example (https://auth0.com/docs/quickstart/webapp/python).

from nginx-jwt-module.

Ok, I found the problem, the "session" cookie is parsed with the "lt_jwt" one...
I don't know why nginx is behaving like that, I will dig into it.

from nginx-jwt-module.

Thanks for looking into this! The auth0 example was putting that info into the session. Here is the code that is actually writing the cookies (and extends the session). I wouldn't expect that to interfere with the authentication, though:

@app.route('/callback')
def callback_handling():
    # Handles response from token endpoint
    token = auth0.authorize_access_token()
    resp = auth0.get('userinfo')
    userinfo = resp.json()

    # Store the user information in flask session.
    session[constants.JWT_PAYLOAD] = userinfo
    session[constants.PROFILE_KEY] = {
        'user_id': userinfo['sub'],
        'name': userinfo['name'],
        'picture': userinfo['picture']
    }

    # Store the token as a cookie
    response = redirect('/dashboard')
    response.set_cookie('lt_jwt',
                        value='{}'.format(token.get('id_token')),
                        max_age=token.get('expires_in'),
                        httponly=True,
                        secure=False)
    return response

It's entirely possible that token.get('id_token') isn't the correct thing to store in the lt_jwt cookie here.

from nginx-jwt-module.

That's a strange issue because I cannot reproduce it locally.
I tried curl <SITE> --cookie 'lt_jwt=eyJ0eX...hn4TY; session=eJzNkMt...rA' both on your site and localhost, it works on localhost, not on the remote site.
But changing it by curl <SITE> --cookie 'lt_jwt=eyJ0eX...hn4TY makes it works...
The problem is not from nginx's way to parse $cookie_name.
Are you manipulating $http_cookie variable at some point ? or $cookie_lt_jwt ?

Edit:
Can you add add_header DBG-HTTP-COOKIE $http_cookie; and add_header DBG-COOKIE-LT-JWT $cookie_lt_jwt; in you server configuration to debug it ?

from nginx-jwt-module.

Are you manipulating $http_cookie variable at some point ? or $cookie_lt_jwt ?

Not intentionally and the python code above appears the only obvious place where any cookie is changes / created. Since I actually won't really need the flask session cookie in the end - I'll see if I can't just disable it.

PS: I can confirm that deleting the session cookie (even just in the browser console) allows you to access /application

from nginx-jwt-module.

Maybe there is something checking for the "session" cookie before checking the "lt_jwt" one. Is your server behind a proxy ?

from nginx-jwt-module.

Yes, NGINX is being used as a reverse proxy:

location / {

    proxy_pass         http://127.0.0.1:3000;
    proxy_redirect     off;
    proxy_set_header   Host $host;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Host $server_name;
    proxy_connect_timeout       300;
    proxy_send_timeout          300;
    proxy_read_timeout          300;
    send_timeout                300;

}

The flask python server is then run on 127.0.0.1:3000

from nginx-jwt-module.

But since the 401 came from NGINX directly, I didn't expect any of the other locations to even reach that python code?

from nginx-jwt-module.

Please add add_header DBG-HTTP-COOKIE $http_cookie; and add_header DBG-COOKIE-LT-JWT $cookie_lt_jwt; in you server configuration to debug it.

from nginx-jwt-module.

Ok, I added those as part of the top-level server NGINX config. Now the /application link works - not sure why, though

PS: I since renamed the cookie to ltjwt to avoid any potential issues with the underscore

from nginx-jwt-module.

In the server context I had already specified auth_jwt off; as the "default". I moved that up one layer and took out the add_header DBG-... again. It appears to be working now. So it may indeed be related to #2 - I very much appreciate your help here!

from nginx-jwt-module.

Ok, I will fix #2 now, it's a simple inheritance issue.

from nginx-jwt-module.

Hi @Maxx-T it's me again ;) I tested the latest master branch and the changes unfortunately didn't solve my problem. In addition, they actually "broke" the previous workaround. Now, putting the auth_jwt off; statement in the http context , no longer solves this issue for me.

Authentication works when there is only a single cookie present. Adding any (random) additional cookie breaks the authentication (as described before).

I added the header Dbg-Http-Cookie again and it certainly shows all cookies are part of $http_cookie. Is there possibly a problem with getting the right cookie down the line?

from nginx-jwt-module.

The important header to set is the add_header DBG-COOKIE-FOO $cookie_your_cookie_name;.
Also, it sould work without specifying auth_jwt off; now.

from nginx-jwt-module.

Yes, I added both headers and the DBG-COOKIE-FOO looks good to me. I'll add an additional debug output to the c code to see what is going on...

from nginx-jwt-module.

You can use the dev branch, it is fastest to build and set to verbose mode:

git checkout dev
cd dev
./build 
docker run -p 8000:8000 jwt-nginx-s4

then to test other configurations you just have to build with ./build s4 to update the nginx configuration.

I would suspect the location = /xxx in your configuration: if your server is behind a proxy the equal matcher could not match any example.com//xxx or example.com/xxx/ instead of example.com/xxx

from nginx-jwt-module.

What I can't wrap my head around is if the location config was a problem, why would it start to work when I delete any additional cookies?

from nginx-jwt-module.

It may be something due to a problem with location priority, because of your reverse proxy rule, something like:

server {
    location / {
       #matches first, see a session cookie, parse it, reject it -> 401
    }
    location = /xxx {

    }
}

Also, try to replace, at least for now location = /xxx by location ^~ /xxx

from nginx-jwt-module.

Yes thanks - I did those things. If location / really sees a (valid) session cookie, why would it reject it?

I added this debug statement here #9 and looking at the jwt_data.

If I have only a single cookie (containing the JWT) jwt_data is correct:
2018/09/13 11:52:07 [debug] 63#63: *5 Found JWT: ey.....

However, if you add any random additional cookie - it ends up in that jwt_data as well like this:
2018/09/13 11:52:30 [debug] 63#63: *5 Found JWT: ey.....; random=value

Are you sure there isn't a problem with how the cookie data is being read?

from nginx-jwt-module.

Yes I am: 1) it would imply that nginx cannot parse a cookie correctly, 2) I cannot reproduce.
The problem is either in the way you build your image, either in your nginx configuration.

• Can you reproduce it with docker run -p 80:80 -v your-nginx-config-dir:/etc/nginx maxxt/nginx-jwt-module:2018-09-13T01-44
• Can you post your full configuration ?

from nginx-jwt-module.

Have you tested with more than one cookie with curl? Because curl and postman doesn't work for me with more than one cookie.

from nginx-jwt-module.

There is a comment here:

// the cookie data is not necessarily null terminated... we need a null terminated character pointer

https://github.com/tizpuppi/ngx_http_auth_jwt_module/blob/bf8ae5fd4b8e981b7683990378356181dee93842/ngx_http_auth_jwt_module.c#L235

from nginx-jwt-module.

It's not that, pcalloc set all bytes to 0.

from nginx-jwt-module.

Still, curl doesn't work with more than one cookie

from nginx-jwt-module.

I agree that it's most likely my config, though!

from nginx-jwt-module.

Indeed. Can you post it somewhere ? a gist or something ?

from nginx-jwt-module.

Let me know if you still need the full config and I'll share it somewhere. Thanks!

from nginx-jwt-module.