Hi there,
I’m trying to manually validate a JSON Web Token for #security:access per these #developers docs:
I installed jq
, lokey
, and six
, then ran:
curl -s https://mydomain.cloudflareaccess.com/cdn-cgi/access/certs | jq .keys[0] | lokey to pem -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA01SvMv4TgFIECQgzHaRL DGVaKhRQHjgdiSOpbqhHQMdcNtBIM0HAQbrs7YS6sQCCdZC5wCvlq3xgqdU5J6k YI5OCSsIWXKkobAl6PbXHdN0bJximeiHGa3O0hMREP6RKBoI6ayNmZ3WlVGWY 6ie47KGqN69l7fPKyZvszb4GdpxE0r8gllZZwIuPjzlghXRlrkaP48ucQwo+tq PSSdDdW57TCFmy+G547W5iWZWJIeNkfVu9t6FktvCwSZ1ekum3X7IQcd0O0DWSR Aj9tzNDPkzOeSFxmQkKpWs8Qw7ZBIfLOsO3DCH6VPNhS2cqhw1AAMunh8alDKQU aQIDAQAB -----END PUBLIC KEY-----
This returned:
Usage: lokey to pem [OPTIONS]
Try "lokey to pem --help" for help.
Error: no such option: -----BEGIN
lokey to --help
gives the example as cat your-key | lokey to pem
, so the CF documentation doesn’t appear correct by supplying a public key as part of the lokey
command.
If I instead run curl -s https://mydomain.cloudflareaccess.com/cdn-cgi/access/certs | jq .keys[0] | lokey to pem
, I get a public key back in the terminal, but it’s obviously different to what’s in the CF docs.
If I save that key and run cat ./cf-my-jwt.key | lokey to pem
, I get yet another public key back.
If I run curl -s https://mydomain.cloudflareaccess.com/cdn-cgi/access/certs | jq .keys[0]
, I get first child from the json file at that address.
If I dump the public key from the dev docs into a file and run cat ./cf-jwt.key | lokey to pem
, I get an error:
Error: Could not deserialize key data.
I thought this error may be caused by having the public key from the CF docs on one line with spaces inserted where the lines wrapped, but even after formatting it correctly (I think), I still get the same issue.
So… I’m a bit confused as to how to manually validate the JWT. I assume the idea is to generate a private key that can be supplied to jwt.io, but I don’t get how the public key in the CF docs fits into things given how lokey
wants the key piped to it rather than supplied as an argument, and it’s already getting the result of jq
piped to it.
Anyone have any ideas on how to make this work?
Thanks for your help.