Moved commit "Fix HMAC secret key loading for OAuth 2.0 token exchange config" from ydb repo

Author: UgnineSirdis

src/client/types/credentials/oauth2_token_exchange/CMakeLists.txt

@@ -9,6 +9,7 @@ target_link_libraries(client-ydb_types-credentials-oauth2
     http-simple
     json
     retry
+    string_utils-base64
     uri
     client-ydb_types-credentials
     client-ydb_types

src/client/types/credentials/oauth2_token_exchange/from_file.cpp

@@ -3,8 +3,8 @@
 #include <ydb-cpp-sdk/client/types/credentials/oauth2_token_exchange/jwt_token_source.h>
 
 #include <library/cpp/json/json_reader.h>
+#include <src/library/string_utils/base64/base64.h>
 
-#include <util/generic/map.h>
 #include <util/stream/file.h>
 #include <util/string/builder.h>
 #include <util/string/cast.h>
@@ -32,13 +32,45 @@ void ApplyAsymmetricAlg(TJwtTokenSourceParams* params, const std::string& privat
     params->SigningAlgorithm<TAlg>(std::string{}, privateKey);
 }
 
+size_t Base64OutputLen(std::string_view input) {
+    while (!input.empty() && (input.back() == '=' || input.back() == ',')) { // padding
+        input.remove_suffix(1);
+    }
+    const size_t inputLen = input.size();
+    const size_t tailEncoded = inputLen % 4;
+    if (tailEncoded == 1) {
+        throw std::runtime_error(TStringBuilder() << "invalid Base64 encoded data size: " << input.size());
+    }
+    const size_t mainSize = (inputLen / 4) * 3;
+    size_t tailSize = 0;
+    switch (tailEncoded) {
+        case 2: // 12 bit => 1 byte
+            tailSize = 1;
+            break;
+        case 3: // 18 bits -> 2 bytes
+            tailSize = 2;
+            break;
+    }
+    return mainSize + tailSize;
+}
+
 template <class TAlg>
 void ApplyHmacAlg(TJwtTokenSourceParams* params, const std::string& key) {
+    // HMAC keys are encoded in base64 encoding
+    const size_t base64OutputSize = Base64OutputLen(key); // throws
+    std::string binaryKey;
+    binaryKey.resize(Base64DecodeBufSize(key.size()));
+    // allows strings without padding
+    const size_t decodedBytes = Base64DecodeUneven(const_cast<char*>(binaryKey.data()), key);
+    if (decodedBytes != base64OutputSize) {
+        throw std::runtime_error("failed to decode HMAC secret from Base64");
+    }
+    binaryKey.resize(decodedBytes);
     // Alg with first param as key
-    params->SigningAlgorithm<TAlg>(key);
+    params->SigningAlgorithm<TAlg>(binaryKey);
 }
 
-const TMap<std::string, void(*)(TJwtTokenSourceParams*, const std::string& privateKey), TLessNoCase> JwtAlgorithmsFactory = {
+const std::map<std::string, void(*)(TJwtTokenSourceParams*, const std::string& privateKey), TLessNoCase> JwtAlgorithmsFactory = {
     {"RS256", &ApplyAsymmetricAlg<jwt::algorithm::rs256>},
     {"RS384", &ApplyAsymmetricAlg<jwt::algorithm::rs384>},
     {"RS512", &ApplyAsymmetricAlg<jwt::algorithm::rs512>},

tests/unit/client/oauth2_token_exchange/CMakeLists.txt

@@ -7,6 +7,7 @@ add_ydb_test(NAME client-oauth2_ut
     cpp-testing-unittest_main
     http-server
     json
+    string_utils-base64
     client-ydb_types-credentials-oauth2
   LABELS
     unit

tests/unit/client/oauth2_token_exchange/credentials_ut.cpp

@@ -2,6 +2,8 @@
 #include <ydb-cpp-sdk/client/types/credentials/oauth2_token_exchange/from_file.h>
 #include "jwt_check_helper.h"
 
+#include <src/library/string_utils/base64/base64.h>
+
 #include <library/cpp/cgiparam/cgiparam.h>
 #include <library/cpp/http/misc/parsed_request.h>
 #include <library/cpp/http/server/http.h>
@@ -16,8 +18,11 @@
 
 using namespace NYdb;
 
-extern const std::string TestPrivateKeyContent;
-extern const std::string TestPublicKeyContent;
+extern const std::string TestRSAPrivateKeyContent;
+extern const std::string TestRSAPublicKeyContent;
+extern const std::string TestECPrivateKeyContent;
+extern const std::string TestECPublicKeyContent;
+extern const std::string TestHMACSecretKeyBase64Content;
 
 class TTestTokenExchangeServer: public THttpServer::ICallBack {
 public:
@@ -33,7 +38,7 @@ class TTestTokenExchangeServer: public THttpServer::ICallBack {
         std::optional<TJwtCheck> ActorJwtCheck;
 
         void Check() {
-            UNIT_ASSERT(InputParams || !ExpectRequest);
+            UNIT_ASSERT_C(InputParams || !ExpectRequest, "Request error: " << Error);
             if (InputParams) {
                 if (SubjectJwtCheck || ActorJwtCheck) {
                     TCgiParameters inputParamsCopy = *InputParams;
@@ -976,7 +981,7 @@ Y_UNIT_TEST_SUITE(TestTokenExchange) {
             .Subject("test_sub")
             .Audience("test_aud")
             .Id("test_jti")
-            .Alg<jwt::algorithm::rs384>(TestPublicKeyContent);
+            .Alg<jwt::algorithm::rs384>(TestRSAPublicKeyContent);
         server.Check.ActorJwtCheck.emplace()
             .AppendAudience("a1")
             .AppendAudience("a2");
@@ -993,7 +998,7 @@ Y_UNIT_TEST_SUITE(TestTokenExchange) {
                     .Field("aud", "test_aud")
                     .Field("jti", "test_jti")
                     .Field("alg", "rs384")
-                    .Field("private-key", TestPrivateKeyContent)
+                    .Field("private-key", TestRSAPrivateKeyContent)
                     .Field("unknown", "unknown value")
                     .Build()
                 .SubMap("actor-credentials")
@@ -1003,7 +1008,33 @@ Y_UNIT_TEST_SUITE(TestTokenExchange) {
                         .Value("a2")
                         .Build()
                     .Field("alg", "RS256")
-                    .Field("private-key", TestPrivateKeyContent)
+                    .Field("private-key", TestRSAPrivateKeyContent)
+                    .Build()
+                .Build(),
+            "Bearer received_token"
+        );
+
+        // Other signing methods
+        server.Check.SubjectJwtCheck.emplace()
+            .Id("jti")
+            .Alg<jwt::algorithm::hs384>(Base64Decode(TestHMACSecretKeyBase64Content));
+        server.Check.ActorJwtCheck.emplace()
+            .Alg<jwt::algorithm::es256>(TestECPublicKeyContent)
+            .Issuer("iss");
+        server.RunFromConfig(
+            TTestConfigFile()
+                .Field("token-endpoint", server.GetEndpoint())
+                .SubMap("subject-credentials")
+                    .Field("type", "jwt")
+                    .Field("jti", "jti")
+                    .Field("alg", "HS384")
+                    .Field("private-key", TestHMACSecretKeyBase64Content)
+                    .Build()
+                .SubMap("actor-credentials")
+                    .Field("type", "JWT")
+                    .Field("alg", "ES256")
+                    .Field("private-key", TestECPrivateKeyContent)
+                    .Field("iss", "iss")
                     .Build()
                 .Build(),
             "Bearer received_token"
@@ -1089,7 +1120,7 @@ Y_UNIT_TEST_SUITE(TestTokenExchange) {
                 .Field("token-endpoint", server.GetEndpoint())
                 .SubMap("subject-credentials")
                     .Field("type", "jwt")
-                    .Field("private-key", TestPrivateKeyContent)
+                    .Field("private-key", TestRSAPrivateKeyContent)
                     .Build()
                 .Build()
         );
@@ -1112,7 +1143,7 @@ Y_UNIT_TEST_SUITE(TestTokenExchange) {
                 .SubMap("subject-credentials")
                     .Field("type", "jwt")
                     .Field("alg", "rs256")
-                    .Field("private-key", TestPrivateKeyContent)
+                    .Field("private-key", TestRSAPrivateKeyContent)
                     .Field("ttl", "-1s")
                     .Build()
                 .Build()
@@ -1125,7 +1156,7 @@ Y_UNIT_TEST_SUITE(TestTokenExchange) {
                 .SubMap("subject-credentials")
                     .Field("type", "jwt")
                     .Field("alg", "algorithm")
-                    .Field("private-key", TestPrivateKeyContent)
+                    .Field("private-key", TestRSAPrivateKeyContent)
                     .Build()
                 .Build()
         );
@@ -1145,6 +1176,50 @@ Y_UNIT_TEST_SUITE(TestTokenExchange) {
                 .Build()
         );
 
+        server.Check.ExpectedErrorPart = "failed to decode HMAC secret from Base64";
+        server.RunFromConfig(
+            TTestConfigFile()
+                .Field("token-endpoint", server.GetEndpoint())
+                .SubMap("subject-credentials")
+                    .Field("type", "jwt")
+                    .Field("alg", "hs256")
+                    .Field("private-key", "\n<not a base64>\n")
+                    .Build()
+                .Build()
+        );
+
+#ifdef YDB_SDK_USE_NEW_JWT
+        server.Check.ExpectedErrorPart = "invalid key size";
+#else
+        server.Check.ExpectedErrorPart = "failed to load private key";
+#endif
+        server.RunFromConfig(
+            TTestConfigFile()
+                .Field("token-endpoint", server.GetEndpoint())
+                .SubMap("subject-credentials")
+                    .Field("type", "jwt")
+                    .Field("alg", "es256")
+                    .Field("private-key", TestRSAPrivateKeyContent) // Need EC key
+                    .Build()
+                .Build()
+        );
+
+#ifdef YDB_SDK_USE_NEW_JWT
+        server.Check.ExpectedErrorPart = "failed to load key";
+#else
+        server.Check.ExpectedErrorPart = "failed to load private key";
+#endif
+        server.RunFromConfig(
+            TTestConfigFile()
+                .Field("token-endpoint", server.GetEndpoint())
+                .SubMap("subject-credentials")
+                    .Field("type", "jwt")
+                    .Field("alg", "ps512")
+                    .Field("private-key", TestHMACSecretKeyBase64Content) // Need RSA key
+                    .Build()
+                .Build()
+        );
+
         server.Check.ExpectedErrorPart = "Not a map";
         server.RunFromConfig(
             TTestConfigFile()

tests/unit/client/oauth2_token_exchange/jwt_check_helper.h

@@ -3,8 +3,8 @@
 
 #include <jwt-cpp/jwt.h>
 
-extern const std::string TestPrivateKeyContent;
-extern const std::string TestPublicKeyContent;
+extern const std::string TestRSAPrivateKeyContent;
+extern const std::string TestRSAPublicKeyContent;
 
 struct TJwtCheck {
     using TSelf = TJwtCheck;
@@ -45,10 +45,10 @@ struct TJwtCheck {
 
     template <class TAlg>
     TSelf& Alg(const std::string& publicKey) {
-        Alg_.Reset(new TAlgCheck<TAlg>(publicKey));
+        Alg_.reset(new TAlgCheck<TAlg>(publicKey));
         return *this;
     }
-    THolder<IAlgCheck> Alg_ = MakeHolder<TAlgCheck<jwt::algorithm::rs256>>(TestPublicKeyContent);
+    std::unique_ptr<IAlgCheck> Alg_ = std::make_unique<TAlgCheck<jwt::algorithm::rs256>>(TestRSAPublicKeyContent);
 
     FLUENT_SETTING_OPTIONAL(std::string, KeyId);
 

tests/unit/client/oauth2_token_exchange/jwt_token_source_ut.cpp

@@ -7,15 +7,18 @@
 
 using namespace NYdb;
 
-extern const std::string TestPrivateKeyContent = "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC75/JS3rMcLJxv\nFgpOzF5+2gH+Yig3RE2MTl9uwC0BZKAv6foYr7xywQyWIK+W1cBhz8R4LfFmZo2j\nM0aCvdRmNBdW0EDSTnHLxCsFhoQWLVq+bI5f5jzkcoiioUtaEpADPqwgVULVtN/n\nnPJiZ6/dU30C3jmR6+LUgEntUtWt3eq3xQIn5lG3zC1klBY/HxtfH5Hu8xBvwRQT\nJnh3UpPLj8XwSmriDgdrhR7o6umWyVuGrMKlLHmeivlfzjYtfzO1MOIMG8t2/zxG\nR+xb4Vwks73sH1KruH/0/JMXU97npwpe+Um+uXhpldPygGErEia7abyZB2gMpXqr\nWYKMo02NAgMBAAECggEAO0BpC5OYw/4XN/optu4/r91bupTGHKNHlsIR2rDzoBhU\nYLd1evpTQJY6O07EP5pYZx9mUwUdtU4KRJeDGO/1/WJYp7HUdtxwirHpZP0lQn77\nuccuX/QQaHLrPekBgz4ONk+5ZBqukAfQgM7fKYOLk41jgpeDbM2Ggb6QUSsJISEp\nzrwpI/nNT/wn+Hvx4DxrzWU6wF+P8kl77UwPYlTA7GsT+T7eKGVH8xsxmK8pt6lg\nsvlBA5XosWBWUCGLgcBkAY5e4ZWbkdd183o+oMo78id6C+PQPE66PLDtHWfpRRmN\nm6XC03x6NVhnfvfozoWnmS4+e4qj4F/emCHvn0GMywKBgQDLXlj7YPFVXxZpUvg/\nrheVcCTGbNmQJ+4cZXx87huqwqKgkmtOyeWsRc7zYInYgraDrtCuDBCfP//ZzOh0\nLxepYLTPk5eNn/GT+VVrqsy35Ccr60g7Lp/bzb1WxyhcLbo0KX7/6jl0lP+VKtdv\nmto+4mbSBXSM1Y5BVVoVgJ3T/wKBgQDsiSvPRzVi5TTj13x67PFymTMx3HCe2WzH\nJUyepCmVhTm482zW95pv6raDr5CTO6OYpHtc5sTTRhVYEZoEYFTM9Vw8faBtluWG\nBjkRh4cIpoIARMn74YZKj0C/0vdX7SHdyBOU3bgRPHg08Hwu3xReqT1kEPSI/B2V\n4pe5fVrucwKBgQCNFgUxUA3dJjyMES18MDDYUZaRug4tfiYouRdmLGIxUxozv6CG\nZnbZzwxFt+GpvPUV4f+P33rgoCvFU+yoPctyjE6j+0aW0DFucPmb2kBwCu5J/856\nkFwCx3blbwFHAco+SdN7g2kcwgmV2MTg/lMOcU7XwUUcN0Obe7UlWbckzQKBgQDQ\nnXaXHL24GGFaZe4y2JFmujmNy1dEsoye44W9ERpf9h1fwsoGmmCKPp90az5+rIXw\nFXl8CUgk8lXW08db/r4r+ma8Lyx0GzcZyplAnaB5/6j+pazjSxfO4KOBy4Y89Tb+\nTP0AOcCi6ws13bgY+sUTa/5qKA4UVw+c5zlb7nRpgwKBgGXAXhenFw1666482iiN\ncHSgwc4ZHa1oL6aNJR1XWH+aboBSwR+feKHUPeT4jHgzRGo/aCNHD2FE5I8eBv33\nof1kWYjAO0YdzeKrW0rTwfvt9gGg+CS397aWu4cy+mTI+MNfBgeDAIVBeJOJXLlX\nhL8bFAuNNVrCOp79TNnNIsh7\n-----END PRIVATE KEY-----\n";
-extern const std::string TestPublicKeyContent = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+fyUt6zHCycbxYKTsxe\nftoB/mIoN0RNjE5fbsAtAWSgL+n6GK+8csEMliCvltXAYc/EeC3xZmaNozNGgr3U\nZjQXVtBA0k5xy8QrBYaEFi1avmyOX+Y85HKIoqFLWhKQAz6sIFVC1bTf55zyYmev\n3VN9At45kevi1IBJ7VLVrd3qt8UCJ+ZRt8wtZJQWPx8bXx+R7vMQb8EUEyZ4d1KT\ny4/F8Epq4g4Ha4Ue6OrplslbhqzCpSx5nor5X842LX8ztTDiDBvLdv88RkfsW+Fc\nJLO97B9Sq7h/9PyTF1Pe56cKXvlJvrl4aZXT8oBhKxImu2m8mQdoDKV6q1mCjKNN\njQIDAQAB\n-----END PUBLIC KEY-----\n";
+extern const std::string TestRSAPrivateKeyContent = "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC75/JS3rMcLJxv\nFgpOzF5+2gH+Yig3RE2MTl9uwC0BZKAv6foYr7xywQyWIK+W1cBhz8R4LfFmZo2j\nM0aCvdRmNBdW0EDSTnHLxCsFhoQWLVq+bI5f5jzkcoiioUtaEpADPqwgVULVtN/n\nnPJiZ6/dU30C3jmR6+LUgEntUtWt3eq3xQIn5lG3zC1klBY/HxtfH5Hu8xBvwRQT\nJnh3UpPLj8XwSmriDgdrhR7o6umWyVuGrMKlLHmeivlfzjYtfzO1MOIMG8t2/zxG\nR+xb4Vwks73sH1KruH/0/JMXU97npwpe+Um+uXhpldPygGErEia7abyZB2gMpXqr\nWYKMo02NAgMBAAECggEAO0BpC5OYw/4XN/optu4/r91bupTGHKNHlsIR2rDzoBhU\nYLd1evpTQJY6O07EP5pYZx9mUwUdtU4KRJeDGO/1/WJYp7HUdtxwirHpZP0lQn77\nuccuX/QQaHLrPekBgz4ONk+5ZBqukAfQgM7fKYOLk41jgpeDbM2Ggb6QUSsJISEp\nzrwpI/nNT/wn+Hvx4DxrzWU6wF+P8kl77UwPYlTA7GsT+T7eKGVH8xsxmK8pt6lg\nsvlBA5XosWBWUCGLgcBkAY5e4ZWbkdd183o+oMo78id6C+PQPE66PLDtHWfpRRmN\nm6XC03x6NVhnfvfozoWnmS4+e4qj4F/emCHvn0GMywKBgQDLXlj7YPFVXxZpUvg/\nrheVcCTGbNmQJ+4cZXx87huqwqKgkmtOyeWsRc7zYInYgraDrtCuDBCfP//ZzOh0\nLxepYLTPk5eNn/GT+VVrqsy35Ccr60g7Lp/bzb1WxyhcLbo0KX7/6jl0lP+VKtdv\nmto+4mbSBXSM1Y5BVVoVgJ3T/wKBgQDsiSvPRzVi5TTj13x67PFymTMx3HCe2WzH\nJUyepCmVhTm482zW95pv6raDr5CTO6OYpHtc5sTTRhVYEZoEYFTM9Vw8faBtluWG\nBjkRh4cIpoIARMn74YZKj0C/0vdX7SHdyBOU3bgRPHg08Hwu3xReqT1kEPSI/B2V\n4pe5fVrucwKBgQCNFgUxUA3dJjyMES18MDDYUZaRug4tfiYouRdmLGIxUxozv6CG\nZnbZzwxFt+GpvPUV4f+P33rgoCvFU+yoPctyjE6j+0aW0DFucPmb2kBwCu5J/856\nkFwCx3blbwFHAco+SdN7g2kcwgmV2MTg/lMOcU7XwUUcN0Obe7UlWbckzQKBgQDQ\nnXaXHL24GGFaZe4y2JFmujmNy1dEsoye44W9ERpf9h1fwsoGmmCKPp90az5+rIXw\nFXl8CUgk8lXW08db/r4r+ma8Lyx0GzcZyplAnaB5/6j+pazjSxfO4KOBy4Y89Tb+\nTP0AOcCi6ws13bgY+sUTa/5qKA4UVw+c5zlb7nRpgwKBgGXAXhenFw1666482iiN\ncHSgwc4ZHa1oL6aNJR1XWH+aboBSwR+feKHUPeT4jHgzRGo/aCNHD2FE5I8eBv33\nof1kWYjAO0YdzeKrW0rTwfvt9gGg+CS397aWu4cy+mTI+MNfBgeDAIVBeJOJXLlX\nhL8bFAuNNVrCOp79TNnNIsh7\n-----END PRIVATE KEY-----\n";
+extern const std::string TestRSAPublicKeyContent = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+fyUt6zHCycbxYKTsxe\nftoB/mIoN0RNjE5fbsAtAWSgL+n6GK+8csEMliCvltXAYc/EeC3xZmaNozNGgr3U\nZjQXVtBA0k5xy8QrBYaEFi1avmyOX+Y85HKIoqFLWhKQAz6sIFVC1bTf55zyYmev\n3VN9At45kevi1IBJ7VLVrd3qt8UCJ+ZRt8wtZJQWPx8bXx+R7vMQb8EUEyZ4d1KT\ny4/F8Epq4g4Ha4Ue6OrplslbhqzCpSx5nor5X842LX8ztTDiDBvLdv88RkfsW+Fc\nJLO97B9Sq7h/9PyTF1Pe56cKXvlJvrl4aZXT8oBhKxImu2m8mQdoDKV6q1mCjKNN\njQIDAQAB\n-----END PUBLIC KEY-----\n";
+extern const std::string TestECPrivateKeyContent = "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIB6fv25gf7P/7fkjW/2kcKICUhHeOygkFeUJ/ylyU3hloAoGCCqGSM49\nAwEHoUQDQgAEvkKy92hpLiT0GEpzFkYBEWWnkAGTTA6141H0oInA9X30eS0RObAa\nmVY8yD39NI7Nj03hBxEa4Z0tOhrq9cW8eg==\n-----END EC PRIVATE KEY-----\n";
+extern const std::string TestECPublicKeyContent = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvkKy92hpLiT0GEpzFkYBEWWnkAGT\nTA6141H0oInA9X30eS0RObAamVY8yD39NI7Nj03hBxEa4Z0tOhrq9cW8eg==\n-----END PUBLIC KEY-----\n";
+extern const std::string TestHMACSecretKeyBase64Content = "VGhlIHdvcmxkIGhhcyBjaGFuZ2VkLgpJIHNlZSBpdCBpbiB0aGUgd2F0ZXIuCkkgZmVlbCBpdCBpbiB0aGUgRWFydGguCkkgc21lbGwgaXQgaW4gdGhlIGFpci4KTXVjaCB0aGF0IG9uY2Ugd2FzIGlzIGxvc3QsCkZvciBub25lIG5vdyBsaXZlIHdobyByZW1lbWJlciBpdC4K";
 
 Y_UNIT_TEST_SUITE(JwtTokenSourceTest) {
     Y_UNIT_TEST(Encodes) {
         auto source = CreateJwtTokenSource(
             TJwtTokenSourceParams()
                 .KeyId("test_key_id")
-                .SigningAlgorithm<jwt::algorithm::rs256>("", TestPrivateKeyContent)
+                .SigningAlgorithm<jwt::algorithm::rs256>("", TestRSAPrivateKeyContent)
                 .Issuer("test_issuer")
                 .Subject("test_subject")
                 .Audience("test_audience")
@@ -45,13 +48,13 @@ Y_UNIT_TEST_SUITE(JwtTokenSourceTest) {
         UNIT_ASSERT_EXCEPTION_CONTAINS(CreateJwtTokenSource(
             TJwtTokenSourceParams()
                 .KeyId("test_key_id")
-                .SigningAlgorithm<jwt::algorithm::rs256>("", TestPrivateKeyContent)
+                .SigningAlgorithm<jwt::algorithm::rs256>("", TestRSAPrivateKeyContent)
                 .TokenTtl(TDuration::Zero())
         ), std::invalid_argument, "token TTL must be positive");
 
         UNIT_ASSERT_EXCEPTION_CONTAINS(CreateJwtTokenSource(
             TJwtTokenSourceParams()
-                .SigningAlgorithm<jwt::algorithm::rs256>("", TestPrivateKeyContent)
+                .SigningAlgorithm<jwt::algorithm::rs256>("", TestRSAPrivateKeyContent)
                 .AppendAudience("aud")
                 .AppendAudience("aud2")
                 .AppendAudience("")