JWKS problems in local setup

[sebplorenz]

Hi, I'm trying to set up a local DAPS for testing. I followed the steps to create a server certificate and two clients and added the key and certs to the server. I'm using the docker image ghcr.io/fraunhofer-aisec/omejdn-server and added the configuration from this repository to it. I think it works. When I send a request to , then I get a

{"keys":[{"kty":"RSA","e":"AQAB","n":"xJ8Yz2j3QknA_BBED6yniyOj05IvBZ7ZOXJBf01gZWM9jTXIoUzbDROMxQZOxxwLtgFMM2u87h9omRL_NYTkYmy_sirvfsGBqw3qcfnpYN0ChlxmHPbs57H8H9vBnktJZI6GZbCzDT4pv0De4wk1RlVhOvfm3_U5oRTOV0uSCByvDmetsuQ-0XD3SYuVxnoUfDoYyPos5CmZY_rRlxUWMFfjE-bpXDYcMdFZrYytz5hmVbGZP0mC77XxrxelcvQ_wWr2wWmEUAS7iCN3vj-S-U98bGP0Azq0pZsdphKczuTqbFi7m3yvY23GHPV_qt2P3aLDULQ4HFHuFlVJyMbXyw","kid":"DN8r0RTURe2Re0w8UaNdh-tk09uStCHOBBGuwsYmnOU","use":"sig"}]}

But when I start a DSC 6.5.3 and point it to my local DAPS I'm getting the following message at startup:

TokenProviderService - Could not get JsonWebKey from received KeySet! PublicKey is null![code=(IMSCOW0037), kid=(default)]

And when I try to communicate with another DSC, I'm getting the following error message:

2022-02-01 15:10:54,905 http-nio-8080-exec-1 INFO  de.fraunhofer.ids.messaging.core.daps.aisec.AisecTokenManagerService - Successfully received DAT from DAPS.
2022-02-01 15:10:54,970 http-nio-8080-exec-1 WARN  de.fraunhofer.ids.messaging.core.daps.TokenProviderService - Could not parse JWT! Treat JWT as having expired. [code=(IMSCOW0040)]
2022-02-01 15:10:55,001 http-nio-8080-exec-1 INFO  de.fraunhofer.ids.messaging.core.daps.aisec.AisecTokenManagerService - Successfully received DAT from DAPS.
2022-02-01 15:10:55,059 http-nio-8080-exec-1 INFO  de.fraunhofer.ids.messaging.protocol.http.IdsHttpService - Sending request to http://consumer:8080/api/ids/data ...
2022-02-01 15:10:55,662 http-nio-8080-exec-1 INFO  de.fraunhofer.ids.messaging.protocol.http.IdsHttpService - Successfully received response to request.
2022-02-01 15:10:55,701 http-nio-8080-exec-1 INFO  de.fraunhofer.iais.eis.ids.component.interaction.validation.ShaclValidator - Initializing SHACL shapes.
2022-02-01 15:10:55,701 http-nio-8080-exec-1 INFO  de.fraunhofer.iais.eis.ids.component.interaction.validation.ShaclValidator - Loading SHACL shapes from resources. You can optionally download the latest shapes from GitHub.
2022-02-01 15:10:56,969 http-nio-8080-exec-1 INFO  de.fraunhofer.iais.eis.ids.component.interaction.validation.ShaclValidator - Loading ontology from resources
2022-02-01 15:10:57,105 http-nio-8080-exec-1 INFO  de.fraunhofer.iais.eis.ids.component.interaction.validation.ShaclValidator - Initialization of SHACL shapes complete.
2022-02-01 15:10:57,171 http-nio-8080-exec-1 INFO  de.fraunhofer.ids.messaging.protocol.http.IdsHttpService - Successfully passed SHACL-Validation.
2022-02-01 15:10:57,361 http-nio-8080-exec-1 WARN  io.dataspaceconnector.controller.util.ResponseUtils - Received unexpected response message. [response=({reason=https://w3id.org/idsa/code/NOT_AUTHORIZED, payload=Claims of DAT could not be parsed!, type=class de.fraunhofer.iais.eis.RejectionMessageImpl})]

[bellebaum]

This appears to be a problem with the DSC, which seems to try to extract a key with kid default, rather than the kid included in the DAT (Which is randomly generated and DN8r0RTURe2Re0w8UaNdh-tk09uStCHOBBGuwsYmnOU in your case)

[sebplorenz]

Fixed it by replacing the kid named 'default' with the one from the kid from above in the DSC configuration:

DAPS_KEY_URL_KID={'http://daps:4567/.well-known/jwks.json':'DN8r0RTURe2Re0w8UaNdh-tk09uStCHOBBGuwsYmnOU'}