How to check validity of JWT token in kubernetes

Avatar
Ashish Garg
  • Updated

 

Problem Statement: 

While using Kubernetes Auth Method to authenticate with Vault, errors are often noticed related to JWT tokens. Identifying the root cause and validating the JWT token can be a time-consuming process. Additionally, decoding the JWT token sometimes fails to reveal its expiration time, and there have been instances where JWT tokens have been flagged with an Invalid Signature on https://jwt.io/

 

Solution:

To verify the token's validity, it is necessary to generate a TokenReview resource. Please create the token.yaml file and include the JWT token in the following manner:

kind: TokenReview
apiVersion: authentication.k8s.io/v1
metadata:
   name: test
spec:
   token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkdReVpnWXFsc0lxVjFfM25xbkRHQ2tkZlVHUGtqWnBfbFlFVHBIbFIzYW8ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjg5ODI3MDEwLCJpYXQiOjE2ODk4MjY0MTAsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6InNhLXRlc3QiLCJ1aWQiOiJhZjQyZWY1Yy0xOTUyLTQ5OGEtOTEyNy0zYzZhOTc1MTU0OWQifX0sIm5iZiI6MTY4OTgyNjQxMCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c2EtdGVzdCJ9.mWwnxow3kWJwiBpOkUOB8rQ9W3XapgJ0V3bT5Mfrr6XxAFYIIu_yNvxsIm4qwDjaRt9BKGUTJT_K3Rk7zDdDMj-tREA71I83w5yOAb8-KgdyvTXOF462RgTTMyK4q6aDVeM8dfg3kPOU9cQB5NanV9hh99yJ2tuRzbCMehwyQBKmpFj9IZX-4s6GTtjzwr16LRAIwJIRM2HUYhzZIqRNzJyyNJcs9N0oXCha8ubWrMnEEeooKqeRkkwiUEg0cKxLLBdYOG6_zVSNFPA6Yn4ubkmcvnihRwud8w8I_iOdmkX_G18EBZtWw04zshkqhDvOlAHV_0SFE0nNWnGaM2rwPw

Once the file has been created, proceed to validate the request as indicated below:

#Kindly take note of the flag -o yaml, which will show the output of the kubectl apply command.
root@vaults0:/home/vagrant# kubectl apply -o yaml -f token.yaml
#apiVersion: authentication.k8s.io/v1
 #kind: TokenReview
 #metadata:
 # annotations:
 # kubectl.kubernetes.io/last-applied-configuration: |
 # {"apiVersion":"authentication.k8s.io/v1","kind":"TokenReview","metadata":{"annotations":{},"name":"test"},"spec":{"token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IkdReVpnWXFsc0lxVjFfM25xbkRHQ2tkZlVHUGtqWnBfbFlFVHBIbFIzYW8ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjg5ODI3MDEwLCJpYXQiOjE2ODk4MjY0MTAsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6InNhLXRlc3QiLCJ1aWQiOiJhZjQyZWY1Yy0xOTUyLTQ5OGEtOTEyNy0zYzZhOTc1MTU0OWQifX0sIm5iZiI6MTY4OTgyNjQxMCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c2EtdGVzdCJ9.mWwnxow3kWJwiBpOkUOB8rQ9W3XapgJ0V3bT5Mfrr6XxAFYIIu_yNvxsIm4qwDjaRt9BKGUTJT_K3Rk7zDdDMj-tREA71I83w5yOAb8-KgdyvTXOF462RgTTMyK4q6aDVeM8dfg3kPOU9cQB5NanV9hh99yJ2tuRzbCMehwyQBKmpFj9IZX-4s6GTtjzwr16LRAIwJIRM2HUYhzZIqRNzJyyNJcs9N0oXCha8ubWrMnEEeooKqeRkkwiUEg0cKxLLBdYOG6_zVSNFPA6Yn4ubkmcvnihRwud8w8I_iOdmkX_G18EBZtWw04zshkqhDvOlAHV_0SFE0nNWnGaM2rwPw"}}
 # creationTimestamp: null
 # name: test
 #spec:
 # token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkdReVpnWXFsc0lxVjFfM25xbkRHQ2tkZlVHUGtqWnBfbFlFVHBIbFIzYW8ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjg5ODI3MDEwLCJpYXQiOjE2ODk4MjY0MTAsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6InNhLXRlc3QiLCJ1aWQiOiJhZjQyZWY1Yy0xOTUyLTQ5OGEtOTEyNy0zYzZhOTc1MTU0OWQifX0sIm5iZiI6MTY4OTgyNjQxMCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c2EtdGVzdCJ9.mWwnxow3kWJwiBpOkUOB8rQ9W3XapgJ0V3bT5Mfrr6XxAFYIIu_yNvxsIm4qwDjaRt9BKGUTJT_K3Rk7zDdDMj-tREA71I83w5yOAb8-KgdyvTXOF462RgTTMyK4q6aDVeM8dfg3kPOU9cQB5NanV9hh99yJ2tuRzbCMehwyQBKmpFj9IZX-4s6GTtjzwr16LRAIwJIRM2HUYhzZIqRNzJyyNJcs9N0oXCha8ubWrMnEEeooKqeRkkwiUEg0cKxLLBdYOG6_zVSNFPA6Yn4ubkmcvnihRwud8w8I_iOdmkX_G18EBZtWw04zshkqhDvOlAHV_0SFE0nNWnGaM2rwPw
 #status:
 # error: '[invalid bearer token, service account token has expired]'
 # user: {}
root@vaults0:/home/vagrant#

During a test,  an invalid JWT token resulted in the invalid bearer token error within the status stanza.

**Note:-  If a wrong JWT token is passed, for example - enter the above token by deleting some characters from it and notice that it generates a different error message i.e., invalid bearer token, square/go-jose: error in cryptographic primitive.

Conversely, with a valid token, the below response is observed:

#Kindly take note of the flag -o yaml, which will show the output of the kubectl apply command.
root@vaults0:/home/vagrant# kubectl apply -o yaml -f token.yaml
#apiVersion: authentication.k8s.io/v1
 #kind: TokenReview
 #metadata:
 # annotations:
 # kubectl.kubernetes.io/last-applied-configuration: |
 # {"apiVersion":"authentication.k8s.io/v1","kind":"TokenReview","metadata":{"annotations":{},"name":"test"},"spec":{"token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IkdReVpnWXFsc0lxVjFfM25xbkRHQ2tkZlVHUGtqWnBfbFlFVHBIbFIzYW8ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjg5ODI3MDEwLCJpYXQiOjE2ODk4MjY0MTAsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6InNhLXRlc3QiLCJ1aWQiOiJhZjQyZWY1Yy0xOTUyLTQ5OGEtOTEyNy0zYzZhOTc1MTU0OWQifX0sIm5iZiI6MTY4OTgyNjQxMCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c2EtdGVzdCJ9.mWwnxow3kWJwiBpOkUOB8rQ9W3XapgJ0V3bT5Mfrr6XxAFYIIu_yNvxsIm4qwDjaRt9BKGUTJT_K3Rk7zDdDMj-tREA71I83w5yOAb8-KgdyvTXOF462RgTTMyK4q6aDVeM8dfg3kPOU9cQB5NanV9hh99yJ2tuRzbCMehwyQBKmpFj9IZX-4s6GTtjzwr16LRAIwJIRM2HUYhzZIqRNzJyyNJcs9N0oXCha8ubWrMnEEeooKqeRkkwiUEg0cKxLLBdYOG6_zVSNFPA6Yn4ubkmcvnihRwud8w8I_iOdmkX_G18EBZtWw04zshkqhDvOlAHV_0SFE0nNWnGaM2rwPw"}}
 # creationTimestamp: null
 # name: test
 #spec:
 # token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkdReVpnWXFsc0lxVjFfM25xbkRHQ2tkZlVHUGtqWnBfbFlFVHBIbFIzYW8ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjg5ODI3MDEwLCJpYXQiOjE2ODk4MjY0MTAsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwic2VydmljZWFjY291bnQiOnsibmFtZSI6InNhLXRlc3QiLCJ1aWQiOiJhZjQyZWY1Yy0xOTUyLTQ5OGEtOTEyNy0zYzZhOTc1MTU0OWQifX0sIm5iZiI6MTY4OTgyNjQxMCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c2EtdGVzdCJ9.mWwnxow3kWJwiBpOkUOB8rQ9W3XapgJ0V3bT5Mfrr6XxAFYIIu_yNvxsIm4qwDjaRt9BKGUTJT_K3Rk7zDdDMj-tREA71I83w5yOAb8-KgdyvTXOF462RgTTMyK4q6aDVeM8dfg3kPOU9cQB5NanV9hh99yJ2tuRzbCMehwyQBKmpFj9IZX-4s6GTtjzwr16LRAIwJIRM2HUYhzZIqRNzJyyNJcs9N0oXCha8ubWrMnEEeooKqeRkkwiUEg0cKxLLBdYOG6_zVSNFPA6Yn4ubkmcvnihRwud8w8I_iOdmkX_G18EBZtWw04zshkqhDvOlAHV_0SFE0nNWnGaM2rwPw
 #status:
 # audiences:
 # - https://kubernetes.default.svc.cluster.local
 # authenticated: true
 # user:
 # groups:
 # - system:serviceaccounts
 # - system:serviceaccounts:default
 # - system:authenticated
 # uid: af42ef5c-1952-498a-9127-3c6a9751549d
 # username: system:serviceaccount:default:sa-test
root@vaults0:/home/vagrant#

When dealing with a valid JWT token, the status indicates a successful authentication with the result as authenticated: truewhich ensures the validity of the JWT token.

 

References:

 

Articles in this section

See more

Related articles