graphql-engine: HASURA_GRAPHQL_JWT_SECRET not working with RS256 in docker-compose

From docker-compose.yaml HASURA_GRAPHQL_JWT_SECRET : ‘{“type”:“RS256”, “key”:“-----BEGIN PUBLIC KEY-----[mypublickey]-----END PUBLIC KEY-----”}’

Fatal Error: JWT conf: Error in $: Invalid JWK: Could not decode PEM: invalid PEM delimiter found

Am I doing something wrong?

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 17 (5 by maintainers)

Most upvoted comments

@ecthiender I agree, the key above is not in the PEM format, however I´ve tried the same with our PEM formatted key from the .pem file

      containers:
        - image: hasura/graphql-engine:v1.0.0-beta.9
          imagePullPolicy: IfNotPresent
          name: hasura
          env:
            - name: HASURA_GRAPHQL_DATABASE_URL
              value: postgres://hasura:[MASKED]@192.168.22.11:5432/masterdata
            - name: HASURA_GRAPHQL_ENABLE_CONSOLE
              value: "true"
            - name: HASURA_GRAPHQL_ENABLED_LOG_TYPES
              value: "startup, http-log, webhook-log, websocket-log, query-log"
            - name: HASURA_GRAPHQL_JWT_SECRET
              value: '{"type": "RS256","key": "-----BEGIN PUBLIC KEY-----
                                               MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7gtigpr8za0aY4pl5KVE
                                               93FPfwk9lfF9OX1QtMCP8fEm1aQL3SqNBlf+pRC2/TW0p5U5XcfFO/YLVMKzGpEG
                                               XD85SFyQbHUIoBswY6y4HswmeLA2/O+/Jo6guiPriXWpq4QS6arJgdCr+LGsphq3
                                               sY/Lxr8YOJWbCpM8UoR4foF580ixnfKSY41sHneTF9GwQyv1zt8uJ9MviBZpvCS1
                                               1wC7K81q0mPyM5QGBSdLDvTLizf4htOEQufRVzF7e4n2zFsnLXgmlyUFLRW/DOBV
                                               /lr1O7IO5WVRNf4M8x5pmtsG2dDJ9RBogx+s3cibkcwzPJuLd/Hru9CoCtMAEMnh
                                               7wIDAQAB
                                               -----END PUBLIC KEY-----","claims_namespace": "hasura","claims_format": "json"}'
          ports:
            - containerPort: 8080
              protocol: TCP
          resources: {}

I´ve tried that with spaces, with no spaces, as a single line without line breaks etc and it always produces

Fatal Error: JWT conf: Error in $: Invalid JWK: Could not decode PEM: invalid PEM delimiter found

EDIT:

Got it working now by changing a few things:

Added line breaks again
Changed the type to “RS512”
Added HASURA_GRAPHQL_ADMIN_SECRET

Thank you anyway 😃

 - name: HASURA_GRAPHQL_ADMIN_SECRET
              valueFrom:
                secretKeyRef:
                  name: hasura-secrets
                  key: hasura-admin-secret
            - name: HASURA_GRAPHQL_ENABLED_LOG_TYPES
              value: "startup, http-log, webhook-log, websocket-log, query-log"
            - name: HASURA_GRAPHQL_JWT_SECRET
              value: '{"type": "RS512","key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7gtigpr8za0aY4pl5KVE\n93FPfwk9lfF9OX1QTMCP8fEm1nOL3SqNBlf+pTC2/TW0p5U5XcfFO/YLPMKzGpEG\nXD85SFyQbHUIoBswY6y4HswneLA2/O+/Jo6guiPriXWpq4QS6arJgdCr+LGsphq3\nsY/Lxr2YOJWbCpM8UoR4foF580jxnfKSY41sHneTF9GwQyv1zt8uJ9MviBZpvCS1\n1wD7K81q0mPyM5QGBSdLIvTLirf4htOEQufRHzH7e4n2zFsnLXgmlyUFLRW/DOBV\n/lr1O7IO5WVRNf4M8x5pmtsG2dDJ9RBogx+s3cibkcwzPJuLd/Hru9CoCtMAEMnh\n7wIDAQAB\n-----END PUBLIC KEY-----","claims_namespace": "hasura","claims_format": "json"}'

mklueh on Nov 5, 2019

@jakobrosenberg This is typically a quoting/newline error. Can you use https://hasura.io/jwt-config and generate the value with proper escaping etc. and try again?

shahidhk on Jan 3, 2019

Thank you for your help @shahidhk .

For anyone else with this problem, my solution was to decode the public key to XML and then reencode it to PEM. https://superdry.apphb.com/tools/online-rsa-key-converter

jakobrosenberg on Jan 3, 2019