JWT token integration with Montandon

[udaynwa]

JWT

#1982

1. Token Creation:
   The server creates a JWT token payload containing relevant information of the user.
   This payload typically includes information:

   • JWT Metadata
     • jti: JWT Token ID (Used for blacklist)
     • exp: Expiration time for now.
   • Go Metadata
     • userID: Go Internal userID
     • inMovement: True

   Example:

   {
       "jti": "XXXXXXXX-YYYY-ZZZZ-AAAA-BBBBBBBBBBBB",
       "exp": 1709650851,
       "userId": 1,
       "inMovement": true
   }

2. Token Signing:
   The server signs the token using the private key.
   The chosen algorithm for signing is EdDSA.

   Example code snippet:

   token = jwt.encode(
       payload,
       JWT_PRIVATE_KEY,
       algorithm='EdDSA',
   )

3. Token Verification:
   In order to verify the sample token, the token needs to be decoded.
   Then the signature is used to verify the token was created by the correct author.
   Then addtional JWT claim such as jti, exp are used to determine if token should be used.
   The relevant payload of the token is then extracted after validation.

   Example code snippet:

   payload = jwt.decode(
       token,
       JWT_PUBLIC_KEY,
       algorithms=['EdDSA'],
   )

Sample

Sample Token:

• Valid (Till 2024 March 4)

eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI2ZGRmYWJhNy04NGUzLTRkNjYtYWMyYS1iYWUwN2RlYzM0ZWYiLCJleHAiOjE3MDk2NTI4NzAsInVzZXJJZCI6MSwiaW5Nb3ZlbWVudCI6dHJ1ZX0.d-7hcnoqnXXuXlC0iG4INbqnd2z02MIoLcW5bORUdZrEpWrxXKnKgO-LbHZ5yIQ2Mz_TmPPal5UMEaYPaeEzDA

• Valid but expired

eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI2ZGRmYWJhNy04NGUzLTRkNjYtYWMyYS1iYWUwN2RlYzM0ZWYiLCJleHAiOjE3MDcwNjA4NzAsInVzZXJJZCI6MSwiaW5Nb3ZlbWVudCI6dHJ1ZX0.3E_gPlYlogeAXicScK-EHkBVV1fKNmGf2MABsZTP0BvGFoPY7DCNHdvaLLj-OazbLUDQnuXNv3ui6bcyrfCtBQ

• Invalid (Signed using different public key)

eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI2ZGRmYWJhNy04NGUzLTRkNjYtYWMyYS1iYWUwN2RlYzM0ZWYiLCJleHAiOjE3MDk2NTI4NzAsInVzZXJJZCI6MSwiaW5Nb3ZlbWVudCI6dHJ1ZX0.hHToNoykVgXCGfskADEAS0-78m4QfFqD3P9iet2ZT7Y-7ZLPWLd78JHBddfzRTJ2Jdm6IK4-HA0fihuqlQszBw

Public Key:

-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAca6qqX/0O7a/9rUIIU+ShfJ8zaXc73BGNvayI2QAfWo=
-----END PUBLIC KEY-----

Verify Example.

import jwt  # Install using pip instal pyjwt

token = 'eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI2ZGRmYWJhNy04NGUzLTRkNjYtYWMyYS1iYWUwN2RlYzM0ZWYiLCJleHAiOjE3MDk2NTI4NzAsInVzZXJJZCI6MSwiaW5Nb3ZlbWVudCI6dHJ1ZX0.d-7hcnoqnXXuXlC0iG4INbqnd2z02MIoLcW5bORUdZrEpWrxXKnKgO-LbHZ5yIQ2Mz_TmPPal5UMEaYPaeEzDA'
JWT_PUBLIC_KEY = '''
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAca6qqX/0O7a/9rUIIU+ShfJ8zaXc73BGNvayI2QAfWo=
-----END PUBLIC KEY-----
'''

payload = jwt.decode(
    token,
    JWT_PUBLIC_KEY,
    algorithms=['EdDSA'],
)

print(payload)

[udaynwa]

@tovari , we have a question about inMovement. We could not find any releveant information about it in the code-base. Could you help us by explaining how it is determined in the system?

cc @thenav56 @frozenhelium @samshara

Looping @hamishwp here as well.

[hamishwp]

Great! Thanks team, this looks good. I'll check this out over the next few days to validate it.

[samshara]

@hamishwp ,
Once you have verified the token, we also need your input on the information that we capture in the payload.

[hamishwp]

Hey I tried to verify the token, but am having issues with the EdDSA signature algorithm as it's not implemented in JWT packages in R. Do you think it might be possible to use a different algorithm? Specifically, either a HMAC tag or RSA/ECDSA signature? Please remember that none of the data is secret, and most of it is open access anyway. So the token signature algorithm really doesn't need to be too secure, just a little more than nothing tbh. If not, then I could find a work-around by calling a python script from R, but it slows things down quite a bit. Thank you very much in advance!
@samshara @udaynwa

[thenav56]

Important

The public key provided below is for proof-of-concept, It isn't used by IFRC GO Staging/Production instance

Hey @hamishwp Thanks for the response.

We were using ed25519, but let's go with ES256 which seems to be supported by R.

We tried and it seems to be working. Can you check if this works for you setup as well?

library(openssl)
library(jose)

jwt_valid <-"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJlYWY1ZTNiNy0yYjEyLTQ5YjAtODAwMS0wNTkwNjU2NjViM2IiLCJleHAiOjE3MTAxNTU3NDcsInVzZXJJZCI6MSwiaW5Nb3ZlbWVudCI6dHJ1ZX0.-GtxfmrQVsAebgh243ibLRtGeKFml27Xibv_QBLkdA2zpuiCnJrUDkDOpn-a_6sbdY6HCDbdQLZ_Qzy8xMYF1Q"
jwt_valid_expired <-"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJlYWY1ZTNiNy0yYjEyLTQ5YjAtODAwMS0wNTkwNjU2NjViM2IiLCJleHAiOjE3MDc1NjM3NDcsInVzZXJJZCI6MSwiaW5Nb3ZlbWVudCI6dHJ1ZX0.pS8m6aA2H-n3jaspYGVV2lSaiLrycj7M_Wcu4myIGbIEOP9RfszP5XVESux7DfevFjPNQymnKke826WBM5s6Kg"
jwt_invalid <-"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJlYWY1ZTNiNy0yYjEyLTQ5YjAtODAwMS0wNTkwNjU2NjViM2IiLCJleHAiOjE3MTAxNTU3NDcsInVzZXJJZCI6MSwiaW5Nb3ZlbWVudCI6dHJ1ZX0.40rG9nsebgg5OXa4veS7i6ncS_Y-oa9_YfzA4SOpxUQR1WySogvaax-yaiCQsReJkqILw0k_HhMlQzithVFUzw"

tokens <- list(jwt_valid, jwt_valid_expired, jwt_invalid)

pubkey <-"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENY+2EWMEwWzcJoTZh/Wu0/RxEgx4\nZyEAO8lSXF4paSO3G30jGz8YVSXRdbjfZvWt62+dkZvi2Vi8/BdBjLSVfQ==\n-----END PUBLIC KEY-----"

for (token in tokens) {
    print(sprintf("--- Processing token: %s", token))

    tryCatch({
        payload <- jwt_decode_sig(token, pubkey = pubkey)
        print(payload)
    }, error = function(e) {
        print(e)
    })
}

[hamishwp]

Great, thank you!