FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    fusion auth versus jose4j library for jwt using secp256k

    Scheduled Pinned Locked Moved
    General Discussion
    jwt verification fusionauth header
    2
    3
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      benjamineroommen
      last edited by

      I am a beginner in-terms of JWT libraries in programming.

      How the keypair used (secp256k1) is related with the algorithmic header used for creation of JWT?

      And why authfusion doesn't need an algorthmic header as such JWSAlgorithm.ES256K (nimbus library) or AlgorithmIdentifiers.ECDSA_USING_SECP256K1_CURVE_AND_SHA256 (jose4j 0.9.0)?

      I am confused with these relations, please shed some light over it.

      Stackoverflow: https://stackoverflow.com/questions/75377128/fusion-auth-versus-jose4j-library-for-jwt-using-secp256k

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @benjamineroommen
        last edited by

        @benjamineroommen Thanks for looking at the fusionauth-jwt library.

        I'm not sure I understand your question. Can you rephrase it?

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • B
          benjamineroommen
          last edited by

          1. ok main thing is, is it ok to use header ES256 for jwt created using secp256k1 keys?

          https://datatracker.ietf.org/doc/html/rfc8812 says, secp256k1 curve should only be used with ES256k header, but in authfusion even if we give k1 pair keys and then use sign and encode a JWT using EC, it will come as ES256 only, is that okay?

          1. Another doubt is, those jwt (k1 curve keys + ES256) created in authfusion is only able to verify in jose4j with .setRelaxVerificationKeyValidation() //needed if the key is smaller than 256 bits.

          Without it we get the error:

          JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.InvalidKeyException: ES256/SHA256withECDSA expects a key using P-256 but was null):

          Description inside setRelaxVerificationKeyValidation :

          Bypass the strict checks on the verification key. This might be needed, for example, if the JWT issuer is using 1024-bit RSA keys or HMAC secrets that are too small (smaller than the size of the hash output)

          Is it the correct way to validate jwt created using ec in authfusion?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post