-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
invalid signature key on standard flow callback with response_mode=query.jwt #30642
Comments
@ninetz The jwks_uri endpoint is just the public key representation in a specific format. The jwt.io is just downloading it from the endpoint (http:https://localhost:8080/realms/master/protocol/openid-connect/certs in my case). My feeling is that you are doing something wrong trying to verify the signature. |
@rmartinc It could be that I am doing something wrong - when I am verifying the signature in the application, I am verifying it only using the public certificate (x5c attribute) retrieved from the certs endpoint. This verification works fine when verifying access tokens but not when verifying the response. Is that intended behavior - that I am not able to verify this response JWT using only x5c cert? |
Can you please paste the code or something you are using to validate? Try to attach something easy to test just changing the token and the certificate. Not partial code or similar. |
@rmartinc As I was writing the code to give to you and testing it further, in the end it was not Keycloak that was the problem but the function that I was using to parse the JWT that was causing issues. I used Claims parsing which could not be applied to the response JWT but could be applied to access token parsing which caused the issue. Thanks for your help :) |
Before reporting an issue
Area
authentication
Describe the bug
After initiating a standard flow with Pushed Authorization Request with JAR ( https://openid.net/specs/oauth-v2-jarm-final.html ) with response_mode=query.jwt, user successfully logging in and after being redirected to callback url with response parameter, the JWT inside response is signed using an unknown key. The KID that keycloak puts the in header of the JWT is not what the JWT is actually signed with.
Version
25.0.1 ( latest )
Regression
Expected behavior
The JWT that is inside the "response" parameter after initiating flow with response_mode=query.jwt should be signed with the key (kid) that is inside the JWT header.
Actual behavior
JWT that is inside "response" after initiating flow with response_mode=query.jwt claims to be signed with the correct algorithm and KID, but when we get the public key/certificate of the specified KID in the JWT header from /certs endpoint and verify the signature using jwt.io or some other JWT claims parser, the signature doesn't match - the JWT isn't actually signed with the KID that is in the header.
How to Reproduce?
Anything else?
It is really odd that the KID in the header actually exists in the /certs endpoint but when I retrieve the public key/certificate of the kid and attempt to verify the JWT, the signature does not match. Keycloak puts the correct KID in the header but using some different key to actually sign the JWT?
The text was updated successfully, but these errors were encountered: