Closed dippynark closed 3 years ago
Interesting, what does your ID token look like? It's supposed to have a kid
claim to indicate which of those two signing keys were used.
Relevant section of the spec: https://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys
decoding the returned ID token gives
{
"alg": "RS256",
"kid": "eef8392a577a69267eff6401eb45686511bdf070"
}
with payload
{
"iss": "https://dex.<MY_DOMAIN>",
"sub": "CgVhZG1pbhIFbG9jYWw",
"aud": "authservice",
"exp": 1594452983,
"iat": 1594366583,
"nonce": "N0oPtzgdfYn_nl4P9ODw2Q==",
"at_hash": "cy2ynJcAKn3okh8oBaqjrA",
"email": "admin@jetstack.io",
"email_verified": true,
"name": "admin"
}
with corresponding keys
{
"keys": [
{
"use": "sig",
"kty": "RSA",
"kid": "eef8392a577a69267eff6401eb45686511bdf070",
"alg": "RS256",
"n": "xBVeIrLRA5tlGw-seIrKmqEUo6YUwEGwO5gtXKKek2a-bTLxTTyvrbUxnkUZrJLyefHnpcduTzVwdvfs9fu5fWNXwd-lal7bd6ebTLzItGsYRAg3PjFwDoG0t-9-eoZKdmn-9b4Y8-AzonlfQRTVMP9QYi67Tm7jNHa03BPS7ko7RpwVwk0HE8gP4ms0zYO-p62oXgLnQxlQ47pVbkFTE10jRaBNTp50nXn928CjQbG_QCWMoxS9AUoBYi37HJkDOW35DLINgkzR48luyn43aCAfOK0Ig06OlJO4w1B70HR5iNhM62AZzcv5Q9glrBG4AhtP1u4lmMF4UfhBy4s2Fw",
"e": "AQAB"
},
{
"use": "sig",
"kty": "RSA",
"kid": "2225a71ca71af3ce6c5a679cc49bf2b1c08739d4",
"alg": "RS256",
"n": "6NJt4_O9FHyUPq1SasDrNSIjMD2RkfJaukvPnFGODAhVxZb_0BMRgEvzvDltvidiNPNDyM15wKchGUbqX1iWDg-fflY59h8x4wxyoANmQ3Ik4ItO2-JosnM7EbvYajVude3YskCJyKstjfc4WA_baI3fswyGVBdzQP6ytGe6QTfL8df3Ulw-9KqeghC1JAqjGFPEpKepKmCq9uTBLjllcN7xv0DjOkdAKj1QEMTTHEqv0ZIFM6vvC9JBbCG-ONPF923cjrJXGWdwOhwP1mKaVK1G7kbxkmpPTTgLJ8GZ52SfQ5gh31p3-GZIEtMQRGfVNX2oV-MczVULBxH6MT4hKQ",
"e": "AQAB"
},
{
"use": "sig",
"kty": "RSA",
"kid": "1e68ebd649d697319c1cf393fe72ffd94a50b122",
"alg": "RS256",
"n": "zMy8JvPt6Q8ckkikowAQ2aqoOegr84wMC1pU9Y5K0aEz3s6xu2h0TO-PMdI-kVNtkcmqdwjkFVkhWIMyAkZIi3ud-cwYtEqmyetMabpyZkLt0xt2G0-asJHBBWn7wKjLCy3UkWADxdRZ_8KfHerd0qSo0TM3egVKpxqbcEEYsU-9fLm15rgFCHpq_W5k36Pukf5fYbEib3wpcURPUYvl4WDjr2Ipp11I1m3t6LVIgWa--3lEIUD8ucupZo-hLVbYiVCzxNazeS5hjZh1G8Ho7T_Lk3q06MwX9wRHDBDv4yLNFDGMX5YrxRFVqPvyChG1712IH6svQWYByGdkaL5Q_w",
"e": "AQAB"
},
{
"use": "sig",
"kty": "RSA",
"kid": "12295d743e9db3500da8535326a8afae4b383d88",
"alg": "RS256",
"n": "ypqGei9yWGLwt8y__dYofWI_kxtkpfhn3LWvb0xmUFVECtFKjE_Hh6oTUmHUceARoJSaMgYUqpHYXn4DVmIudNkBRY4qSVp7x43JMKPOJEU0Q5PnQ0EYgx-ipZo4y8FMPTTFvwcCTpsEqZ76vS3ivfG4mcREYEawQXmt1icITCwsfKAo0hPfz36miPSZKVBsac3fNoynJxnP7hJhrXf0pbx5pTrcQ6n12ZX7S0vyi3P_o3MFvArd-9A17Kkl2143iJi9fw9wkY5cvz5YXW1TejlAb34RGyNPYnyHNc4AYbuEkXqk1wuzG78q4Bxvq8JZCtWu8JbhLwAvWjB3m0Wyhw",
"e": "AQAB"
},
{
"use": "sig",
"kty": "RSA",
"kid": "e13f1003371e84a4bc2bab09fc1ecbe2bf327557",
"alg": "RS256",
"n": "pMfly4UAu1gmytcgvcsUWIXKVHzqa6curptR8-VNgwn1_Cz2ONYGRAtJYGkDoMx03ojKQkVC6ReMqI-HnW3NMJMisljfNpfG0FDLKXgjfwyBc4rTfz0oGtwAf-Eq6CTKZgp836PJbSC5mjqh5UYlqlSYYp_7w9n6q292JwrMnmRGDXmG-OOYewU-oXlrwYXduT9MWec9sOHrL1d7-VBORklQzF6SEq9GWI02WqgQxxQRPo-satWIsVaT-hDqQf0q9nEJTYiLUANjLejxbvUwfZfT0u4O44gX6EMAPuOeFztZn3Md89_BKjVCI0-sZpQuHoccrs3xCXUwZFuwLPb7vw",
"e": "AQAB"
}
]
}
So maybe it's the other round that authservice is only looking at the last key in the array? But I'm being given a JWT corresponding with the first key?
Also, do you have a recommended method, CLI or another tool for retrieving a JWT locally? I used https://github.com/jetstack/okta-kubectl-auth based off of https://github.com/dexidp/dex/tree/master/cmd/example-app but maybe there's something more generic?
@incfly did you mean to close this issue? This is https://github.com/istio-ecosystem/authservice/issues/110
Sorry @dippynark I meant https://github.com/istio-ecosystem/authservice/issues/34
And to make sure I understand correctly, the IdP can use new keys to sign the id token. But the authservice is using a static preconfigured jwk for verification id token. therefore verificaiton would fail. the issue I linked is sending HTTPS request to the JWKS URI endpoint periodically to fetch updates. That would cover this use case right?
@incfly hey, yeah #34 would fix this so happy to keep this issue closed
Once JWKS rotation occurs (i.e. JWKS endpoint has multiple entries) I am seeing:
in the authservice logs after logging in through my IdP (dex).
My JWKS response looks like:
with my authservice config:
Resetting dex (in this case) to have just one element in the keys array fixes the issue (after waiting some time which I presume is for Istio to grab the new keys itself, in the interim I see the same error message but returned by the browser).
I assume authservice is only looking at the first entry in the keys array whilst dex is signing new JWTs with the latest key?
I am using the latest authservice image: v0.3.1