search

logto-io / logto

🧑‍🚀 The better identity infrastructure for developers and the open-source alternative to Auth0.
https://logto.io
Mozilla Public License 2.0
8.37k stars 410 forks source link

bug: no applicable key found in the JSON Web Key Set #5186

Closed cong5 closed 8 months ago

cong5 commented 8 months ago

Hello!

I ran logto in kubernetes using the docker image: svhd/logto:latest, but when I tried to log into the console, an error occurred and I was unable to log in.

Oops! Something went wrong. f: no applicable key found in the JSON Web Key Set at c.getKey (https://xxxx.shop/console/index.b0698af2.js:3:29786) at https://xxxx.shop/console/index.b0698af2.js:3:30333 at #c (https://xxxx.shop/console/index.b0698af2.js:3:44747) at o.getKey (https://xxxx.shop/console/index.b0698af2.js:3:44304) at async u (https://xxxx.shop/console/index.b0698af2.js:3:16240) at async a (https://xxxx.shop/console/index.b0698af2.js:3:14004) at async a (https://xxxx.shop/console/index.b0698af2.js:3:18868) at async l (https://xxxx.shop/console/index.b0698af2.js:3:40765) at async c.verifyIdToken (https://xxxx.shop/console/index.b0698af2.js:1:532057) at async c.handleSignInCallback (https://xxxx.shop/console/index.b0698af2.js:1:530082)

cong5 commented 8 months ago

Console backend login no longer reports an error, but the return value from Machine-to-Machine application requesting Machine-to-Machine is:

{
    "message": "未经授权。请检查凭据及其范围。",
    "code": "auth.unauthorized",
    "data": {
        "code": "ERR_JWKS_NO_MATCHING_KEY",
        "name": "JWKSNoMatchingKey",
        "message": "no applicable key found in the JSON Web Key Set"
    }
}
darcyYe commented 8 months ago

Hi @cong5 , could you please elaborate on your setup and how you make M2M requests?

cong5 commented 8 months ago

Hi @cong5 , could you please elaborate on your setup and how you make M2M requests?

first request https://xxx.shop/oidc/token get access_token:

image

second request any Logto Management API response this error.

image
darcyYe commented 8 months ago

Are you using a self-hosted OSS version? or you are using Logto Cloud.

cong5 commented 8 months ago

Are you using a self-hosted OSS version? or you are using Logto Cloud. using a self-hosted version

darcyYe commented 8 months ago

Did you or someone with access to your Logto localhost change the oidc.privateKeys after the instance started but before you requested the Logto management API?

darcyYe commented 8 months ago

I can not reproduce your issue on my machine. I started a brand new OSS Logto instance with a new DB, created a m2m app, can hence successfully get the access token and access the management API. It could be helpful if you can provide a step by step guide to reproduce this issue.

darcyYe commented 8 months ago

You can also check whether you have assigned the scope all to the M2M app via an m2m role.