id token

[aphuang2013]

not sure this is a bug but not sure how to fix it. I'm using PingFed as the OP, it works pretty well for most OIDC stuff. I'm using chrp stuff and got to place where it complains about the following:

File "/usr/local/lib/python3.6/site-packages/oidcmsg/oidc/init.py", line 258, in verify idt = IdToken().from_jwt(str(self["id_token"]), **args) File "/usr/local/lib/python3.6/site-packages/oidcmsg/message.py", line 547, in from_jwt "alg=%s" % _header["alg"]) oidcmsg.exception.MissingSigningKey: alg=RS256

is there way to debug this? I know PingFed generate ID token with proper algorithm (using jwt.io on other software I tested). not exactly sure how to debug in here

[rohe]

OK, I need more of the log to really understand what's going on here but my guess is that there is some configuration error. The ID Token is probably OK, it's just that your entity doesn't have the necessary key to verify the signature. Why that is, is what the log could tell me. Are you using dynamic provider info discovery for instance ?

[aphuang2013]

I found the log in farp.log and it points to me that the issuer not in keyjar and result that verifying error. it was somewhat confusing to see missing alg, but it is really not able to handle the jws header.

On Mon, May 7, 2018 at 11:53 PM, Roland Hedberg notifications@github.com wrote:

OK, I need more of the log to really understand what's going on here but my guess is that there is some configuration error. The ID Token is probably OK, it's just that your entity doesn't have the necessary key to verify the signature. Why that is, is what the log could tell me. Are you using dynamic provider info discovery for instance ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/IdentityPython/oidcrp/issues/1#issuecomment-387303299, or mute the thread https://github.com/notifications/unsubscribe-auth/AFB-WCCmJFjDAxQsnYPhO3HEfSsKE4Aoks5twUD3gaJpZM4T1zdz .

-- peter huang

[rohe]

So. do you use dynamic provider info discovery or how to you get the OPs keys ?

[aphuang2013]

pingFed has a published JWKS url (that is what I used) so the static/jwks.json get built. I would like to use the discovery instead using make_opbyuid_html.py to build jwks.json

============= 018-05-08 09:15:11,419 oidcservice.service:DEBUG Verify response with {'client_id': 'pyrp_client', 'iss': 'https://c4t22724.itcs.hpecorp.net:9031', 'keyjar': <KeyJar(issuers=[''])>, 'verify': True, 'skew': 15} 2018-05-08 09:15:11,420 oidcmsg.message:DEBUG Raw JSON: {'sub': ' peter.huang@hpe.com', 'c': 'US', 'givenname': 'Peter', 'locality': 'Palo Alto', 'cn': 'Peter Huang', 'sn': 'Huang', 'email': 'peter.huang@hpe.com', 'aud': 'pyrp_client', 'jti': 'xau3p1KXBLAqonJaTxjcAo', 'iss': ' https://c4t22724.itcs.hpecorp.net:9031', 'iat': 1525796112, 'exp': 1525839312, 'pi.sri': '_TotSxM7FaG6kPHrKJDUr03V0q0', 'nonce': '7cWb2tvu9BAwCLKbq7F06BN1', 'acr': 'urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient'} 2018-05-08 09:15:11,420 oidcmsg.message:DEBUG JWS header: {'alg': 'RS256', 'kid': 'WazsR_wSgyDH8luBAwcX3BcZ9DI'} 2018-05-08 09:15:11,421 oidcmsg.key_jar:ERROR Issuer " https://c4t22724.itcs.hpecorp.net:9031" not in keyjar 2018-05-08 09:15:11,421 oidcmsg.key_jar:ERROR Issuer "pyrp_client" not in keyjar 2018-05-08 09:15:11,421 oidcservice.service:ERROR Got exception while verifying response: alg=RS256 2018-05-08 09:15:11,421 oidcrp.oauth2:ERROR alg=RS256

On Tue, May 8, 2018 at 9:00 AM, Roland Hedberg notifications@github.com wrote:

So. do you use dynamic provider info discovery or how to you get the OPs keys ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/IdentityPython/oidcrp/issues/1#issuecomment-387453237, or mute the thread https://github.com/notifications/unsubscribe-auth/AFB-WCMwUID-6QsUe3iOdTqFjFcBek5Mks5twcEFgaJpZM4T1zdz .

-- peter huang

[rohe]

That's not how you're supposed to do it. Please let us continue this discussion by direct email. You can find my address in my bio.