Issue validating id_token, unsure if JWKS is in the right encoding

desmond · June 7, 2024, 8:18am

The relevant errors from the system logs are as follows. Do advise where the issue might be, as well as the format and encoding it should be inside the link.

com.saasure.platform.services.idp.exception.IdpAuthenticationException: Could not validate id_token signature

core.user_auth.idp.social.cannot_acquire_access_token

I have configured my JWKS endpoint (https://05f2-129-126-117-109.ngrok-free.app/.well-known/jwks.json) and when accessed, these are the contents:

{
  "keys": [
    {
      "alg": "RS256",
      "kty": "RSA",
      "n": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1ljhP58S6OWOVlpFhPEEIiVYmtUlSfQ7P-jKoYlU5Sjj1pdr1AbasfJx47IgKLzHHlPCgNMBItUxB2XzEEB1ovImPaDeQS1TTUXfDYvFWFU8tTjixZT1pYWls5egJ2nVgR-QWXzC5eZJbYLxBwgh4d3tMXhzzydWPHhZg7kKbGvNtwGpNtEsJRG3X1bXoVSTulZkq1dd-b4rusQBMlTWEd1UqjmLhwNIAbEFc8UFNn2ZXUYGubLNQG6zOPd4mdFIwpBL0NISHuiG6sjSgC3h1nZGw_0WEqOuR9WTxHh-E2HrKmFCjBWEiMaABL8cPatNLg1xva98LAPCKYl_Y855iwID",
      "e": "AQAB",
      "kid": "0c1c4623-ae68-49bf-9245-c712d0eb2004"
    }
  ]
}

desmond · June 7, 2024, 9:27am

I found the error. The keys above were in the PEM format. I fixed this by simply converting the public numbers into base64url encoded strings instead. The Python code is as follows

    generated_private_key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048
    )
    base64_url_n = int_to_base64urluint(generated_private_key.public_key().public_numbers().n)
    base64_url_e = int_to_base64urluint(generated_private_key.public_key().public_numbers().e)

An example of the resulting page is

{
    "keys": [
        {
            "alg": "RS256",
            "kty": "RSA",
            "n": "leAfDSh0e-d7UQ9fHTQWs4qMn80LTa3j3I_MTsdc6Vuz8MzYeweWmuw3uQOpKz28_cV8YmudqgPn8fcuKyc6SlSUqoEP5qHqMa0ovofjpNc8ztrTTUA2QL4tTgXkaArmPyuxQif2H_Lcfrb6jsOxHfLNlqZW8Wm6W5LFBM1ZLcno0izRyNbUvvpbKaVKdUM_x480oiyUTv3aVeLyN58FlkfQ-Pk0rdO1j8cW_o0hCmpj8RdAdG6o4AZwuxet9fjl3chik3OFgcCsSSjRO9BFqQt3F6FyvjVR2y6aV7ZPri_oQQHpKE1LCV09ptUTUdJpWosgFig5PFay0DpFvx3XDw",
            "e": "AQAB",
            "kid": "e145170a-7029-4d4a-bc3a-d43a20f5311e"
        }
    ]
}

Post		Replies	Views
Okta AS Keys mismatch what jwt.io reports Questions	2	3669	February 8, 2024
Unable to parse JWT through JwtSecurityTokenHandler Questions	6	22447	April 8, 2021
JWTValidationException: No matching JWK Questions	5	5044	September 17, 2021
The client JWKSet is invalid Questions	9	6042	April 1, 2021
Kid in OIDC JWT doesn't match any in jwks_uri OAuth/OIDC	6	1004	November 1, 2024

Issue validating id_token, unsure if JWKS is in the right encoding

Related topics