Get Certificate in Rules

lennart.querter · August 21, 2017, 8:12pm

I’m looking into redirecting a user after a social signup to an external page with a Token, validating the token using a RS256 signed certificate, adding additional user information and redirecting him to the /continue signup URL.

My problem is that i can not add my PEM certificate when creating the rule. (I need to use the RS256 signing system).

The error i get is :
error:0906D06C:PEM routines:PEM_read_bio:no start line

I found a post where a user replaces all the line endings in the PEM file by a special token and reparses the cert. I don’t think this is a good way to go. Does anyone know how i can retrieve the private cert in a rule?

EDIT:

my rule looks like this ATM:

        var options = {
            algorithm: 'RS256',
            expiresIn: "5m",
            audience: configuration.CLIENT_ID,
            issuer: configuration.ISSUER
        };

        var token = jwt.sign({
                sub: user.user_id,
                email: user.email
            },
            configuration.CLIENT_SECRET,
            options,
            function(err, token) {
                if (err) {
                    console.log(err);
                    return callback(new UnauthorizedError("Error"));
                }
                context.redirect = {
                    url: "http://localhost:8020/signup?token=" + token
                };
                return callback(null, user, context);
            }
        );

But the CLIENT_SECRET should be replaced with the Certificate.

jmangelo · September 1, 2017, 6:18pm

I never actually tried something like that, but based on your description the issue is with having configuration entries that may contain line breaks and to my knowledge that’s not supported.

The above means there will always need to be some intermediate encoding that satisfies the requirements of configuration keys and that can be decoded before consumption within the rule. A practical example of this procedure would be the one you described of replacing line breaks with a known token that cannot be present in the rest of the data. To be honest, I would also not do something so custom, but have you rules out using a more standard method of encoding, for example, just using Base64 to encode and decode the whole thing?

bede.overend · October 20, 2017, 8:49am

Worth noting that it seems Auth0 should support this by replacing the new lines with ‘\n’ tokens, as discussed in this example rule: Auth0

It says:

KEY: the string representation of the key (open the PEM and replace enters with \n to make it one line)

Which is then used as the signing PEM key. I’ve tried this myself, but the ‘\n’ tokens don’t get interpreted as new lines, instead literally as '' and ‘n’.