search

nokia / kong-oidc

OIDC plugin for Kong
Apache License 2.0
454 stars 320 forks source link

jwt signature verification failed: bad object header: too long #148

Open anshudutta opened 4 years ago

anshudutta commented 4 years ago

I am using ory/hydra as my Oauth server.

Discovery - https://experiment.alkmi.app/admin/hydra/public/.well-known/openid-configuration jwks - https://experiment.alkmi.app/admin/hydra/public/.well-known/jwks.json

The flow works fine except for the last part where when the access token is requested /oauth2/token, I see the following error

jwt signature verification failed: Decode secret is not a valid cert/public key: ASN1 lib: public key decode error: RSA lib: nested asn1 error: bad object header: too long

Note: I was using oauth2_proxy before with nginx and it worked fine.

Logs Kong

127.0.0.1 - - [20/Jan/2020:00:36:51 +0000] "GET /admin/hydra/public/oauth2/auth?client_id=grafana&consent_verifier=101c02d233cb449fbab507cdc40a22be&nonce=bf1da331fede03de27dfa9be346d742b&redirect_uri=https%3A%2F%2Fexperiment.alkmi.app%2Fadmin%2Fgrafana%2F&response_type=code&scope=openid&state=2a03de92014282032073e10c1c022f9a HTTP/2.0" 302 0 "https://experiment.alkmi.app/mcp/encapto/consent?consent_challenge=5e539b493643427b9e7f6b13dbc7f00a" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36"
127.0.0.1 - - [20/Jan/2020:00:36:51 +0000] "GET /admin/hydra/public/.well-known/openid-configuration HTTP/1.1" 200 1457 "-" "lua-resty-http/0.14 (Lua) ngx_lua/10015"
127.0.0.1 - - [20/Jan/2020:00:36:51 +0000] "POST /admin/hydra/public/oauth2/token HTTP/1.1" 200 1524 "-" "lua-resty-http/0.14 (Lua) ngx_lua/10015"
127.0.0.1 - - [20/Jan/2020:00:36:51 +0000] "GET /admin/hydra/public/.well-known/jwks.json HTTP/1.1" 200 803 "-" "lua-resty-http/0.14 (Lua) ngx_lua/10015"
2020/01/20 00:36:51 [error] 40#0: *133913 [lua] openidc.lua:858: openidc_load_and_validate_jwt_id_token(): id_token 'RS256' signature verification failed, client: 127.0.0.1, server: kong, request: "GET /admin/grafana/?code=lv7BeURDaYAVZn8giuGF-V_cDTspPy41zEtO71KVFi4.jtK57jwYLH4fu2hCnVIEOy0yIs0A7DRLfUMEovxduxg&scope=openid&state=2a03de92014282032073e10c1c022f9a HTTP/2.0", host: "experiment.alkmi.app", referrer: "https://experiment.alkmi.app/mcp/encapto/consent?consent_challenge=5e539b493643427b9e7f6b13dbc7f00a"
127.0.0.1 - - [20/Jan/2020:00:36:51 +0000] "GET /admin/grafana/?code=lv7BeURDaYAVZn8giuGF-V_cDTspPy41zEtO71KVFi4.jtK57jwYLH4fu2hCnVIEOy0yIs0A7DRLfUMEovxduxg&scope=openid&state=2a03de92014282032073e10c1c022f9a HTTP/2.0" 500 172 "https://experiment.alkmi.app/mcp/encapto/consent?consent_challenge=5e539b493643427b9e7f6b13dbc7f00a" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36"
127.0.0.1 - - [20/Jan/2020:00:36:52 +0000] "GET /mcp/ HTTP/2.0" 200 1906 "https://experiment.alkmi.app/admin/grafana/?code=lv7BeURDaYAVZn8giuGF-V_cDTspPy41zEtO71KVFi4.jtK57jwYLH4fu2hCnVIEOy0yIs0A7DRLfUMEovxduxg&scope=openid&state=2a03de92014282032073e10c1c022f9a" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36"

Oauth-Server - Hydra

time="2020-01-20T00:36:51Z" level=info msg="started handling request" method=GET remote=127.0.0.1 request="/oauth2/auth?client_id=grafana&consent_verifier=101c02d233cb449fbab507cdc40a22be&nonce=bf1da331fede03de27dfa9be346d742b&redirect_uri=https%3A%2F%2Fexperiment.alkmi.app%2Fadmin%2Fgrafana%2F&response_type=code&scope=openid&state=2a03de92014282032073e10c1c022f9a" request_id=68c0a212-0aeb-46ae-aedb-07c92a16b66d
time="2020-01-20T00:36:51Z" level=info msg="completed handling request" measure#hydra/public: https://experiment.alkmi.app/admin/hydra/public.latency=36332843 method=GET remote=127.0.0.1 request="/oauth2/auth?client_id=grafana&consent_verifier=101c02d233cb449fbab507cdc40a22be&nonce=bf1da331fede03de27dfa9be346d742b&redirect_uri=https%3A%2F%2Fexperiment.alkmi.app%2Fadmin%2Fgrafana%2F&response_type=code&scope=openid&state=2a03de92014282032073e10c1c022f9a" request_id=68c0a212-0aeb-46ae-aedb-07c92a16b66d status=302 text_status=Found took=36.332843ms
time="2020-01-20T00:36:51Z" level=info msg="started handling request" method=GET remote=127.0.0.1 request=/.well-known/openid-configuration request_id=a010262c-1413-428c-935f-779c1c372ee8
time="2020-01-20T00:36:51Z" level=info msg="completed handling request" measure#hydra/public: https://experiment.alkmi.app/admin/hydra/public.latency=515995 method=GET remote=127.0.0.1 request=/.well-known/openid-configuration request_id=a010262c-1413-428c-935f-779c1c372ee8 status=200 text_status=OK took="515.995µs"
time="2020-01-20T00:36:51Z" level=info msg="started handling request" method=POST remote=127.0.0.1 request=/oauth2/token request_id=e4c9fac1-b074-46b0-9ea9-31f082dcd9ea
time="2020-01-20T00:36:51Z" level=info msg="completed handling request" measure#hydra/public: https://experiment.alkmi.app/admin/hydra/public.latency=173955941 method=POST remote=127.0.0.1 request=/oauth2/token request_id=e4c9fac1-b074-46b0-9ea9-31f082dcd9ea status=200 text_status=OK took=173.955941ms
time="2020-01-20T00:36:51Z" level=info msg="started handling request" method=GET remote=127.0.0.1 request=/.well-known/jwks.json request_id=de7ab2a2-d3b1-40e9-a24c-6b39bb401a35
time="2020-01-20T00:36:51Z" level=info msg="completed handling request" measure#hydra/public: https://experiment.alkmi.app/admin/hydra/public.latency=9218501 method=GET remote=127.0.0.1 request=/.well-known/jwks.json request_id=de7ab2a2-d3b1-40e9-a24c-6b39bb401a35 status=200 text_status=OK took=9.218501ms
anshudutta commented 4 years ago

This can probably be solved by upgrading lua-oidc library to > 1.6.1. I see that there is a commit but hasn't been released. When is the next release scheduled

oliveiragabriel07 commented 3 years ago

+1 Any updates on this question?