Issue validating id_token, unsure if JWKS is in the right encoding

The relevant errors from the system logs are as follows. Do advise where the issue might be, as well as the format and encoding it should be inside the link.

com.saasure.platform.services.idp.exception.IdpAuthenticationException: Could not validate id_token signature

core.user_auth.idp.social.cannot_acquire_access_token

I have configured my JWKS endpoint (https://05f2-129-126-117-109.ngrok-free.app/.well-known/jwks.json) and when accessed, these are the contents:

{
  "keys": [
    {
      "alg": "RS256",
      "kty": "RSA",
      "n": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1ljhP58S6OWOVlpFhPEEIiVYmtUlSfQ7P-jKoYlU5Sjj1pdr1AbasfJx47IgKLzHHlPCgNMBItUxB2XzEEB1ovImPaDeQS1TTUXfDYvFWFU8tTjixZT1pYWls5egJ2nVgR-QWXzC5eZJbYLxBwgh4d3tMXhzzydWPHhZg7kKbGvNtwGpNtEsJRG3X1bXoVSTulZkq1dd-b4rusQBMlTWEd1UqjmLhwNIAbEFc8UFNn2ZXUYGubLNQG6zOPd4mdFIwpBL0NISHuiG6sjSgC3h1nZGw_0WEqOuR9WTxHh-E2HrKmFCjBWEiMaABL8cPatNLg1xva98LAPCKYl_Y855iwID",
      "e": "AQAB",
      "kid": "0c1c4623-ae68-49bf-9245-c712d0eb2004"
    }
  ]
}

I found the error. The keys above were in the PEM format. I fixed this by simply converting the public numbers into base64url encoded strings instead. The Python code is as follows

    generated_private_key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048
    )
    base64_url_n = int_to_base64urluint(generated_private_key.public_key().public_numbers().n)
    base64_url_e = int_to_base64urluint(generated_private_key.public_key().public_numbers().e)

An example of the resulting page is

{
    "keys": [
        {
            "alg": "RS256",
            "kty": "RSA",
            "n": "leAfDSh0e-d7UQ9fHTQWs4qMn80LTa3j3I_MTsdc6Vuz8MzYeweWmuw3uQOpKz28_cV8YmudqgPn8fcuKyc6SlSUqoEP5qHqMa0ovofjpNc8ztrTTUA2QL4tTgXkaArmPyuxQif2H_Lcfrb6jsOxHfLNlqZW8Wm6W5LFBM1ZLcno0izRyNbUvvpbKaVKdUM_x480oiyUTv3aVeLyN58FlkfQ-Pk0rdO1j8cW_o0hCmpj8RdAdG6o4AZwuxet9fjl3chik3OFgcCsSSjRO9BFqQt3F6FyvjVR2y6aV7ZPri_oQQHpKE1LCV09ptUTUdJpWosgFig5PFay0DpFvx3XDw",
            "e": "AQAB",
            "kid": "e145170a-7029-4d4a-bc3a-d43a20f5311e"
        }
    ]
}
1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.