Decode encrypted appSession cookie in go middleware

auth_learner · November 13, 2024, 11:29pm

Ready to post? First, try searching for your answer.
I have a application that has a NextJs web app backed by a Go (Echo server) backend service.

From the UI/Browser if the API call goes from Browser → NextJS web app → Go Backend service. In this case I can extract the access_token and id_token from session in the web app and pass it as Authorization header when making the call to my go backend service. This works fine.

But, when from UI/Browser the API call goes directly to my go backend service, Browser → Go Backend service, in the backend service it doesn’t get the Authorization header and instead gets a encrypted Cookie that has “appSession” property. Something like this
[Next-Locale=en appSession=eyJhbGciOiJkaXIi<……>YxN30…gYfzF8D6fWw<……>k2zimuwvUg.VmXY<….>unzw]

My question is how do I decrypt/parse (or somehow use) this cookie to get access_token and id_token or use this cookie somehow to call /userinfo or /oauth/token endpoints in Auth0

auth_learner · November 14, 2024, 1:51am

I tried something in Go to try and decrypt the cookie trying to reverse engineer the way I think this gets encrypted in nextjs-auth0 library.

// Define your initial keying material (IKM) and salt
	ikm := []byte("XXX") // XXX is the AUTH0_SECRET from my .env file. Based on how they suggest to setup AUTH0_SECRET here https://auth0.com/docs/quickstart/webapp/nextjs/01-login#configure-the-sdk 
	salt := []byte("")

	// Create a new HKDF instance with SHA-256 as the hash function
	hkdfReader := hkdf.New(sha256.New, ikm, salt, []byte("JWE CKE"))

	// Derive a key of length 32 bytes
	key := make([]byte, 32)
	if _, err := io.ReadFull(hkdfReader, key); err != nil {
		panic(err)
	}

	fmt.Printf("Derived key: %x\n", key)

	jweRaw := "eyJhbGciOiJkaXIi<……>YxN30…gYfzF8D6fWw<...>k2zimuwvUg.VmXY<….>unzw" // appSession value from Cookie
	jwe, err1 := jose.ParseEncrypted(jweRaw)
	if err1 != nil {
		fmt.Printf("Error Failed to parse jweRaw")
	}
	//fmt.Printf(jwe.KeyID)
	decrypted, err := jwe.Decrypt(key)
	if err != nil {
		panic(err)
	}
	fmt.Printf(string(decrypted))

But with this I get an error saying when trying to “Decrypt”

panic: go-jose/go-jose: error in cryptographic primitive

auth_learner · November 15, 2024, 5:46pm

Hi, could someone from Auth0 support pls help take a look at this. Thanks

Topic		Replies	Views
Token in appSession cookie cannot be decoded Help cookie , nextjs	5	11079	April 8, 2021
Reading Auth0 Session Cookie in Express Help auth0 , session , express , cookie , nextjs	3	5734	April 27, 2021
The API calls using nextjs-auth0 are always showing as unauthenticated Help apis , application	4	1126	April 8, 2024
How do i get claims from access token in @auth0/nextjs lib? Help	4	2773	October 11, 2022
getSession unable to authenticate user in NextJS server-side Help nextjs-auth0 , sdks-quickstarts	3	2595	December 20, 2023

Decode encrypted appSession cookie in go middleware

Related Topics