Running service locally with JWT secrets

Is it possible to run a service locally when the service has been defined to use jwt’s ? With JWT in my proto files I get errors from the proxy service

akka-serverless-proxy_1 | {“timestamp”:“2022-01-01T14:35:42.137Z”,“mdc”:{“akkaAddress”:“akka://akkaserverless-proxy@172.24.0.3:25520”,“akkaSource”:“akka://akkaserverless-proxy/user/discovery-manager”,“sourceActorSystem”:“akkaserverless-proxy”},“logger”:“com.akkaserverless.proxy.DiscoveryManager”,“message”:“Supervisor RestartSupervisor saw failure [8]: Method [###.CreateI] configured to validate a JWT token, however this service has not been configured for JWT validation.”

Hi, I’m afraid there’s no support for running with the jwt support locally, yet.

I believe it is possible to make it work now, it’s just a bit messy that’s all.

In your docker-compose.yaml, in the command line for akka-serverless-proxy, you can add the following arguments:

-Dakkaserverless.proxy.jwt.secrets.0.key-id=dev -Dakkaserverless.proxy.jwt.secrets.0.algorithm=HS256 -Dakkaserverless.proxy.jwt.secrets.0.secret=your-secret

You can also add -Dakkaserverless.proxy.jwt.secrets.0.issuer if you wish to specify an issuer for the key, and you can specify a second secret using .1. instead of .0..

I haven’t actually tried the above yet, but do let me know how it goes.

We do intend on making it easier than this, but, we’re not 100% sure on what the best feature set to provide is. Do you care what the secret is? Would you be satisfied with using the JWT none algorithm during testing/development? The none algorithm by the way still produces tokens with claims, and the claims will still be verified against messages, it’s just that they aren’t signed (so they can easily be forged).

I’ve just implemented support for the following:

  • We now have a none JWT algorithm type, which means, don’t sign, don’t validate the signature. It still produces a token, claims in the token are still validated against the message, and so on, so you can still test the JWT support, it’s just that the JWT tokens do not contain a signature, which makes it possible for an attacker to forge a JWT, however, in development/testing, that shouldn’t be an issue.
  • The none algorithm can’t be configured in production.
  • A JWT secret with key id “dev” using the none algorithm type is configured by default when running locally. It can be disabled by setting the environment variable JWT_DEV_SECRET to false in docker-compose.yml.
  • The issuer name used by the dev secret can be configured by setting the JWT_DEV_SECRET_ISSUER environment variable in the docker-compose.yml file.

Does this sound like it will be useful for your needs? Note, this is currently in the PR review stage, and given the time of year, I’m not sure how long it will take to get reviewed/released.

@JonathanKnight if you update your docker-compose.yml to set the akka-serverless-proxy version to 0.8.6, this should now work.