Closed nathanhokanson closed 8 years ago
A little more information: When debugging the line that returns the error of RSA empty keys (7948 in the version I am using) it appears to be looking for a key.x5c array, which does not exist in the first item returned from the server I am using (it is gluu). The algorithm is RS256, so I don't know if that affects anything.
thx -- this is an area that needs beefing up. can you provide me with the public URL for their metadata endpoint?
https://idp.gluu.org/.well-known/openid-configuration
That is the public endpoint. Is there anything I can do to help? I don't have much experience with OpenID connect (which is why I wanted to use your library, :) ) but I am pretty good at JavaScript.
I can try to look into it next week. This is the important line of code:
https://github.com/IdentityModel/oidc-client/blob/master/oidc-client.js#L174
what it should do is loop thru all the items (keys) in the array and check each one (probably selecting the right kid, but that's more details).
BTW it's this data it's reading: https://idp.gluu.org/oxauth/seam/resource/restv1/oxauth/jwks
So I finally found out that the newer version of the server I am using doesn't provide the x5c key any more. This is one of the keys (there are six in total) that I am getting (with key & id removed for brevity):
{
"kty": "RSA",
"kid": "<keyid>",
"use": "sig",
"alg": "RS256",
"n": "<keydata>",
"e": "AQAB"
}
The server supports several algorithms (RS256, RS384, RS512, ES256, ES384, ES512) but none of them have an x5c field. Is there an alternate way to decrypt the token given that we don't have the x5c key?
Thanks,
Nathan
Yep, this is something I need to fix/enhance in the oidc-client library.
Ran into this same issue when working with https://login.salesforce.com/.well-known/configuration Keys are here - https://login.salesforce.com/id/keys, same structure as the one @nathanhokanson is getting
+1
This has been addressed in the oidc-client-js rework here: https://github.com/IdentityModel/oidc-client-js/issues/2 and the issue (that I forgot about) that was tracking this fix: https://github.com/IdentityModel/oidc-client-js/issues/10
I have a simple SPA based very loosely on the https://github.com/GeertHuls/SecuredApi app, although I have simplified the js a little for testing purposes. I am able to authenticate to my OpenID Connect server , but when I call the processTokenCallbackAsync with the hash I get the error listed in the subject line. I don't see anything in the documentation about needing RSA keys installed, but I might be missing something.
Here is my javascript:
;(function(angular){ "use strict"; angular.module("authTest", ["ngRoute"]) .factory("tokenManager", tokenManager) .controller('loginController', loginController) .controller("visualizationController", visualizationController) .run(['$location', 'tokenManager', function($location, tokenManager) { var hash = $location.path(); if (hash){ // take off the first character, for some reason $location is adding a // / in front of the hash. $location.hash() doesn't return the hash
; function tokenManager ($browser) {
}
function loginController(tokenManager) { var vm = this;
}
function visualizationController(tokenManager) { var vm = this; vm.id_token = tokenManager.id_token; vm.access_token = tokenManager.access_token; }
})(window.angular);