Trying to sign a JWT using RS256, but keep getting errors

[pingvinen]

Hi

I am new to using Jose and I have stumbled into something where I seem to be missing something.

I am trying to generate a signed JWT using an RSA key. Currently I do not care about the protected header.

I have tried to follow the example from https://github.com/panva/jose/blob/bd1b7c48125cda7570cc05a6998885bea73e72a5/docs/classes/_jwt_sign_.signjwt.md but I keep getting errors thrown from the library.

I have managed to make a little self-contained script showing the 2 versions I have tried so far that includes the actual key generation.

I am using version 3.5.4.

const { default: generateKeyPair } = require('jose/util/generate_key_pair')
const { default: fromKeyLike } = require('jose/jwk/from_key_like')
const { default: SignJWT } = require('jose/jwt/sign')

async function doItAll() {
    const payload = {
        some: 'thing'
    }

    const { publicKey, privateKey } = await generateKeyPair('RS256', { modulusLength: 4096 });

    const privateJwk = await fromKeyLike(privateKey);
    privateJwk.use = 'sig';
    privateJwk.kid = 'mySuperAwesomeKey';

    const signingKey = privateJwk;

    //
    // first attempt _WITH_ protected header
    //
    try {
        await new SignJWT(payload)
            .setProtectedHeader({ alg: 'RS256' })
            .setIssuedAt()
            .setIssuer('urn:example:issuer')
            .setAudience('urn:example:audience')
            .setExpirationTime('2h')
            .sign(signingKey);
    } catch (err) {
        // TypeError: invalid key type or asymmetric key type for this operation
        console.error(err);
    }



    //
    // second attempt _WITHOUT_ protected header
    //
    try {
        await new SignJWT(payload)
            .setIssuedAt()
            .setIssuer('urn:example:issuer')
            .setAudience('urn:example:audience')
            .setExpirationTime('2h')
            .sign(signingKey);
    } catch (err) {
        // TypeError: Cannot read property 'crit' of undefined
        // the undefined "thing" seems to be the protected header
        console.error(err);
    }
}

doItAll()
    .then(() => {
        console.log('done');
    })
    .catch(err => {
        console.error(err);
    });

Can anyone see what I am missing?

[panva]

Your first attempt with a protected header is correct. One must be present. Your problem is that you're passing a JWK object to .sign() where you should be passing the KeyLike key object representation (privateKey variable in your code).

[pingvinen]

Thank you. Trying that never occurred to me as I was sort of assuming that most things work with JWKs.

[panva]

https://github.com/panva/jose/blob/bd1b7c48125cda7570cc05a6998885bea73e72a5/docs/classes/_jwt_sign_.signjwt.md#sign > KeyLike link, pretty clear about the types.