I was trying to use Emulate to verify a GitHub App installation token flow, but POST /app/installations/:installation_id/access_tokens was failing with A JSON web token could not be decoded for what I believe is a valid App JWT.
I believe the issue is that the seeded PKCS#8 private key is passed directly to jwtVerify here:
|
const key = await importPKCS8(appInfo.privateKey, "RS256"); |
|
await jwtVerify(token, key, { algorithms: ["RS256"] }); |
For asymmetric JWS algorithms, jose documents that the private key signs and the public key verifies: panva/jose#210 (comment)
I have a proposed fix with regression coverage here: sidpalas#1
I wanted to raise the issue first to verify that my understanding is correct before opening a PR against upstream.
I was trying to use Emulate to verify a GitHub App installation token flow, but
POST /app/installations/:installation_id/access_tokenswas failing withA JSON web token could not be decodedfor what I believe is a valid App JWT.I believe the issue is that the seeded PKCS#8 private key is passed directly to
jwtVerifyhere:emulate/packages/@emulators/core/src/middleware/auth.ts
Lines 85 to 86 in 6f1175c
For asymmetric JWS algorithms, jose documents that the private key signs and the public key verifies: panva/jose#210 (comment)
I have a proposed fix with regression coverage here: sidpalas#1
I wanted to raise the issue first to verify that my understanding is correct before opening a PR against upstream.