Closed spikyjt closed 5 years ago
panva
commented
5 years ago Indeed either misconfiguration on the OP or your side. Depends on what operation you're actually doing.
Please answer the following
spikyjt
commented
5 years ago Thanks for your quick response.
The token is being verified. It decrypts before this apparently successfully.
The JWT is:
{
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkpmZjJXTXltWW10TlY2U2hveW5pSU1JOXEzbyIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1NTA4NDMyNDQsImV4cCI6MTU1MDg0MzI3NCwiaXNzIjoiaHR0cHM6Ly9sb2dpbi5waXhlbHBpbi5pbyIsImF1ZCI6Ik9ONjJZWTVYUzJYRExXWlZNUkc2VVE0UTdBWkJKTCIsImlhdCI6MTU1MDg0MzI0NCwic3ViIjoiNWM1YWI1M2Q1YWM2OWY1NDgwYjcyNTM2IiwiYXV0aF90aW1lIjoiMSw1NTAsODQyLDkwOSIsImFtciI6InBhc3N3b3JkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImVtYWlsIjoianQrMUBwaXhlbHBpbi5pbyJ9.cwmrGlAYtkagAtlCTJS_HnuTcDLNPqlGsL0J0SHNJPKwbTVeKOSMyXf7r6U8u6LYIoeKKHokFdo3ZVn2xeiGO5I5DBREOkCO3lcSXLKozRVCULZgn7ZZ2WTkc8DyvfnLykLFm19hzen6RVYkl2FqR1IFYEkE2RCJsm8vyHqCCoXWx6DlI9Sc4pHP3p151TIl4P6qvAJ-9y4_Ogs1gQ7pbXd03noDA7lxCAnpXbU6ynDYaEgh4AjrfD_YVLxouBnn8jQg8aPXlPelaWM2jm_uUE2fUs6YxFqrK1F2SYuThjEoVHlasA_zlYbx6_3JfIJcF8kERdAH1rgdo3CIcA0aabPAcqyQqBMWefQLVM_FMlO9NRSlhciYBnHiFveUZGtOJPK1d2Pwgy899ztt-IsmHa_EXtPeWfA17gxF6SoZy1kivwaiM8pu3l7-cAOUGf-PLTL_BL5uygp8-BZoqFuf1ow2WILN25Y2bXjMtQ96ehdIF5Wu7pUuNKLNH8BykmZaenk0nDALv6-3zpeZANDbVJq_7yy07ZksjqPxo1Qlsh665xnfsTxjF8yPJO8M0HqboBthGd3N7W5iG2-J7zt2GIpInjf-Q_GTtRTCcxYmKSXTq3luyad2LGkGJHtU9U2RtAEeUnr-H1QRG5i5tREj9CnSB5u0oWan_nvnwuKb0Ag",
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkpmZjJXTXltWW10TlY2U2hveW5pSU1JOXEzbyIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1NTA4NDMyNDQsImV4cCI6MTU1MDg0MzI3NCwiaXNzIjoiaHR0cHM6Ly9sb2dpbi5waXhlbHBpbi5pbyIsImF1ZCI6Imh0dHBzOi8vbG9naW4ucGl4ZWxwaW4uaW8vcmVzb3VyY2VzIiwiY2xpZW50X2lkIjoiT042MllZNVhTMlhETFdaVk1SRzZVUTRRN0FaQkpMIiwic2NvcGUiOiJvcGVuaWQiLCJzdWIiOiI1YzVhYjUzZDVhYzY5ZjU0ODBiNzI1MzYiLCJhdXRoX3RpbWUiOiIxLDU1MCw4NDIsOTA5IiwiYW1yIjoicGFzc3dvcmQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZW1haWwiOiJqdCsxQHBpeGVscGluLmlvIn0.MHOrHlVC64BgiqGQtUhWfUjzDe0euTI_jpHAy6rtxEi4D9OUaGdcIzb5m6bSKD7TYv4H0c0fP-dAvIrxmSQwvmTI0yIiRr88C1pX7mZAwQgQzy315vn97_ktEk3q1_4vXqn2wpIIHn8TaRS-kU8jskygBzH5Lsou9r0knCKuwAC6Z4ycwlW3z-yA8XcWUlPLeoISArowkgWt245r9dP4ztk61RqDDsJrxxD2Ju1ct-d1UwLomkTsJmOyKd2t-2DBCcuJjG3GUHfplT1Aj_6W0XEq48LyyxASWbrKcJFuTbwhILeul86H7SBYz_9tuQQBlDUZMAYDbcxssQjnmfelaNByRGDS0AgZKcavQNqZ9HcD4G41I6YToLjO12eW3vQ23baGCZYtLDEQJ1Su_Tmwb42lIB8pcE-cEgl-TA1P6pg0YiTFGBwpFyatQbB95ridsubPNl3Dv-R5HCLsONtpOCukQlJz-_vhii38myfO5tFqbSov3QkP42oHudiH5CH-657pkMq-WeUxIMw7V89KJckgKYY6nmRT_GIn6GtxFn84CthylAUy-Vgj67tr-FW8GoiiKDKqwUrQPm3iBYw_Bw1005WjEnCjBoEgSDe6AqoH8TYt5wkjaDVhk0GsPyqppiiOOcXxcvuyEzjkHxdTg5A-V9U1GRLFXdjKkeoQElM",
"token_type": "Bearer"
}The jwks_uri content is:
{
"keys": [
{
"kty": "RSA",
"use": "sig",
"kid": "25F7F658CCA6626B4D57A4A1A329E220C23DAB7A",
"x5t": "Jff2WMymYmtNV6ShoyniIMI9q3o",
"e": "AQAB",
"n": "xMAKSDpMkFx5SDqtkEINgWV-8zHIstw4iqiFa6g0_pUrv5xq6KxItgrHTweHiMSQgDpBd8JmmXqeEo0wYymG1L2aWaFAAl8J5Ghp1EzQGvjVCAoLHvrOr0s2J69KZus5Hx1o6sg-_y2ugFmLKzWAmvUnLUPkY9kzQ6I5zTajHFkKr3pachAAHtl6wqSnmAoFtOLauZEaUhynXhvzOcuG-8GRAaVhTepGIW2I7tZM0m3DbwptpAVZOXIMHKZ-O2sWtsm9-TmYi-mcOxIttLxgBU7ymfaaxSdxk1oytyl0OGrBXmxvKZ1fYhalAiPLdsbRb1ZXhkSP-wF1-5NwXp06jSV3E8v9qvOwwNHtJwVlBCv8O07MXcH71tm_6gaaBZEP_rUTN9PZ2OBuQxWXqUa4Yk7zWMRxP1jYvxrV-Dbcap0XRFzwPmJCNGaknhrDLD0fYqgM936g3Fp18m0qZDYmiOp7Gsu0xzp3k2sYuzL0sRuVemnveip4KscFvrEhug9B5XUNSuCNCi1YXhAqs0HA8_sUCbTJdpjtCq80ig6NpyATfvmeEv_XZhQiKRSsMCQvGoB7UqH8u10iSfLtodSiM3gEUzJNoRE4hzZ2Yf55yesj9z0-N_H-o4Z_kLv3lPJz7WDDVc9pioLWkO_ewZJicBoUzK-S0c3ylrLUK5mDDa8",
"x5c": [
"MIIGQDCCBCigAwIBAgIJAIeKbViaUhQNMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYDVQQGEwJHQjEYMBYGA1UECAwPR2xvdWNlc3RlcnNoaXJlMRQwEgYDVQQHDAtDaXJlbmNlc3RlcjEVMBMGA1UECgwMUGl4ZWxQaW4gTHRkMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEhMB8GA1UEAwwYZGV2ZWxvcGVyLnBpeGVscGluLmNvLnVrMSUwIwYJKoZIhvcNAQkBFhZub3JlcGx5QHBpeGVscGluLmNvLnVrMB4XDTE2MTIxNTE1MjAzM1oXDTE3MTIxNTE1MjAzM1owgbQxCzAJBgNVBAYTAkdCMRgwFgYDVQQIDA9HbG91Y2VzdGVyc2hpcmUxFDASBgNVBAcMC0NpcmVuY2VzdGVyMRUwEwYDVQQKDAxQaXhlbFBpbiBMdGQxFDASBgNVBAsMC0RldmVsb3BtZW50MSEwHwYDVQQDDBhkZXZlbG9wZXIucGl4ZWxwaW4uY28udWsxJTAjBgkqhkiG9w0BCQEWFm5vcmVwbHlAcGl4ZWxwaW4uY28udWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEwApIOkyQXHlIOq2QQg2BZX7zMciy3DiKqIVrqDT+lSu/nGrorEi2CsdPB4eIxJCAOkF3wmaZep4SjTBjKYbUvZpZoUACXwnkaGnUTNAa+NUICgse+s6vSzYnr0pm6zkfHWjqyD7/La6AWYsrNYCa9SctQ+Rj2TNDojnNNqMcWQqvelpyEAAe2XrCpKeYCgW04tq5kRpSHKdeG/M5y4b7wZEBpWFN6kYhbYju1kzSbcNvCm2kBVk5cgwcpn47axa2yb35OZiL6Zw7Ei20vGAFTvKZ9prFJ3GTWjK3KXQ4asFebG8pnV9iFqUCI8t2xtFvVleGRI/7AXX7k3BenTqNJXcTy/2q87DA0e0nBWUEK/w7TsxdwfvW2b/qBpoFkQ/+tRM309nY4G5DFZepRrhiTvNYxHE/WNi/GtX4NtxqnRdEXPA+YkI0ZqSeGsMsPR9iqAz3fqDcWnXybSpkNiaI6nsay7THOneTaxi7MvSxG5V6ae96KngqxwW+sSG6D0HldQ1K4I0KLVheECqzQcDz+xQJtMl2mO0KrzSKDo2nIBN++Z4S/9dmFCIpFKwwJC8agHtSofy7XSJJ8u2h1KIzeARTMk2hETiHNnZh/nnJ6yP3PT438f6jhn+Qu/eU8nPtYMNVz2mKgtaQ797BkmJwGhTMr5LRzfKWstQrmYMNrwIDAQABo1MwUTAdBgNVHQ4EFgQUMwstp/mTRpc3U7z5h/jeXjyR+xEwHwYDVR0jBBgwFoAUMwstp/mTRpc3U7z5h/jeXjyR+xEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEALxDIgGC4jbdDapFKsdVbCTKGz/HTatWFqAww/0+gLIMfbYUwMq+TQHQhF+9MJD6A+oWM6q72IRQkVRbSfB9PE9rOC440zp5cLyvua1SO65t5ZKTVDmxYnjMBmhXLSPf86tIgWM9byrOm8c8PYopFi0ECCmpMS9tptAK0QnnNuprU75IKXgZUBcqFNFozauJUtmBB1U+0a5v/re2oMQIFJ891s8CNfMOA9nosmz2ylFevMUxBr58jEkxGEOf85ooIAMly+KSMyHvdSKDgq96Dr3N98W0RQ4V2/AkO0DFBgnGl/rweiFI0tZiGu1cikdWQD1GpHGlVUYJevfCjepj3yyKwD3S0peWmklvv3M57cqoHRzZsjfrkKMB7T7Us0O3ZkSqYCrQbGPYiU90fpEjUweoXew8mVg0CyceTUAYoHfUJoBiMUcMEp4Hvu3ryS9b1XmErH+javxBXJFg1ucZUO0TN6fhKlOFDbIlTDKE5NSbwn69orR4diNnFIvHDhTcQsXPZwe48mU+3hkS/DaERrbxIV3P3uYk16ZD+4RMCvw7fYQQbfNXy4rzruPzt12VOhoQI9tvnAbKFKw+WZQ7ImD7zSECCo0GAiZHvxrezAGJ1W14drgN+4oXfiYR1zSEshtv946crcKJmOaddZmVhZb1PQmldT1poR4nfIpP/moY="
]
},
{
"kty": "RSA",
"use": "sig",
"kid": "4145B66DEC637F7C76374E01848776C587D90222",
"x5t": "QUW2bexjf3x2N04BhId2xYfZAiI",
"e": "AQAB",
"n": "4a_1FIAI1hEHs6HdZqvh7O9KRusUadZFcMJR-Bo7eWDCq00CWKw9d29vS1aitLgJe76TNdqzyda7fDDb-YBbSq17C0VmlneuDmu8-VFcKzcGkdG6ouwDUo8LccsqIwuvX_e-PVo0-P3cNonExXJnMioJUaEQJcevqeuyL3ONgk2qJeNhX1uF3FMxdz0TNuT9BT2F4CBlEvyof9PvGsle__uJUkErM5YIzQDphS2rvwRYut7w1B3rjvBQyRUznZVGk91rtEVUYdcQYXoAehVfIwZC5IMuvYakzvSNvYbpKfZ53P3busl4UEKXyAiFTGCtM2-TmuBdHhPyBU7-c6bLBXHMm-Ziry_rSmeYzVbZB1E9GQmxKXa_d2iit2Yksr8Yi0EdxMMSnBqZwzJCP2pYF6-f8DjEaN1e_7mlg-UPJJ4SaxTnjcPVn-lF2P7hURoyIcHvZifWXmNBvIwSvSj67kp_woDh2XcpuGkxZH4Ksbv0H1c5KhQGMagnd-acjMq6goM448E6HowMlOVInFlaYK5MlZbfOpeBBU3H6WtuLvZ5RXSnmBbEsJCfSLkfobceXc_BlWoy6NGmLyKzQG3-biMeYFJcjn1f2tS5A-ZT0jNwYsgvWzXOGnesF83IOljtN5Y9Xn71AqsTF46jHdBQjZuD1LwyJ9JYMyXVlHx5rcM",
"x5c": [
"MIIGQDCCBCigAwIBAgIJAJv4hBpf1uhLMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYDVQQGEwJHQjEYMBYGA1UECAwPR2xvdWNlc3RlcnNoaXJlMRQwEgYDVQQHDAtDaXJlbmNlc3RlcjEVMBMGA1UECgwMUGl4ZWxQaW4gTHRkMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEhMB8GA1UEAwwYZGV2ZWxvcGVyLnBpeGVscGluLmNvLnVrMSUwIwYJKoZIhvcNAQkBFhZub3JlcGx5QHBpeGVscGluLmNvLnVrMB4XDTE2MTIxNTE1MjEyOVoXDTE3MTIxNTE1MjEyOVowgbQxCzAJBgNVBAYTAkdCMRgwFgYDVQQIDA9HbG91Y2VzdGVyc2hpcmUxFDASBgNVBAcMC0NpcmVuY2VzdGVyMRUwEwYDVQQKDAxQaXhlbFBpbiBMdGQxFDASBgNVBAsMC0RldmVsb3BtZW50MSEwHwYDVQQDDBhkZXZlbG9wZXIucGl4ZWxwaW4uY28udWsxJTAjBgkqhkiG9w0BCQEWFm5vcmVwbHlAcGl4ZWxwaW4uY28udWswggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDhr/UUgAjWEQezod1mq+Hs70pG6xRp1kVwwlH4Gjt5YMKrTQJYrD13b29LVqK0uAl7vpM12rPJ1rt8MNv5gFtKrXsLRWaWd64Oa7z5UVwrNwaR0bqi7ANSjwtxyyojC69f9749WjT4/dw2icTFcmcyKglRoRAlx6+p67Ivc42CTaol42FfW4XcUzF3PRM25P0FPYXgIGUS/Kh/0+8ayV7/+4lSQSszlgjNAOmFLau/BFi63vDUHeuO8FDJFTOdlUaT3Wu0RVRh1xBhegB6FV8jBkLkgy69hqTO9I29hukp9nnc/du6yXhQQpfICIVMYK0zb5Oa4F0eE/IFTv5zpssFccyb5mKvL+tKZ5jNVtkHUT0ZCbEpdr93aKK3ZiSyvxiLQR3EwxKcGpnDMkI/algXr5/wOMRo3V7/uaWD5Q8knhJrFOeNw9Wf6UXY/uFRGjIhwe9mJ9ZeY0G8jBK9KPruSn/CgOHZdym4aTFkfgqxu/QfVzkqFAYxqCd35pyMyrqCgzjjwToejAyU5UicWVpgrkyVlt86l4EFTcfpa24u9nlFdKeYFsSwkJ9IuR+htx5dz8GVajLo0aYvIrNAbf5uIx5gUlyOfV/a1LkD5lPSM3BiyC9bNc4ad6wXzcg6WO03lj1efvUCqxMXjqMd0FCNm4PUvDIn0lgzJdWUfHmtwwIDAQABo1MwUTAdBgNVHQ4EFgQUFytpZUN1SEuUmCdqED4lrdxd2WkwHwYDVR0jBBgwFoAUFytpZUN1SEuUmCdqED4lrdxd2WkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEA27QhByXAHQ7AT70codEu4yThnRygVY5jPQ4hE+6FyYYGFTMm6yy7aYmUTPu1sO4wygf3/01lN+o4mWLQbraqajvy/Pocgdq0Gga9FZdE/yVy1ug5H9dImJIal3zgZNuS6v12BPsRcEqwbNohLNADV1GYwsom3LiwqV+ogJwB1IjnN4shz9VsxhrP/ZlyBacLIP9NJSei40fPfbeyavAmHNsjTDY9rMEvZfaSUVOe91/ihPDSdmV0uSeeKgOA/z05IYMq+V/2WA5cl8b0nncw1aTqJP4xJ6AjKy+n/hV+e69y5w4YoTFLs7kQV1OGqbn/aG+HjhES898DbpYwvGOws7AYwJ0sOLf7Tsz9q/Y5VvoFwQt0uCTgtySxAXOPz9B9mkigGXDgKsqm98wdM5xcP6XYwO5k7DMgxm7h0UVCmtJOzI/xhFVDRu5uu5wlNgp3aTecLjb3dwKYzNcJH4eDay5DStZZYwr/36qwYtYCRM6nsWsgCjHPuwp0v7EpX2uOupSlqKG2JgmVKLdi6ZaXDr33TXx6WKRuCEDntWXIMwaYk6ndOTXH4VvbPYKpVhlC9gJBzCTNjsLgtOBjWXc66HH5ptmOePFrKngZRDh65tezXCgbcq1U6vf3FUSI5xaM6nwEtBVSb1LI/+H0LsppT53HQIeQXcfIYBmOh/dsHlA="
]
}
]
}I appreciate your assistance with this. I should at this point 'fess up and let you know that the OP is our own system and in this case I am running it locally, hence no point providing you with the jwks_uri itself. I'm hoping to use your library as a reference test case, so that we can ensure our OP is working correctly.
panva
commented
5 years ago Gotcha,
the ID Token's kid used is Jff2WMymYmtNV6ShoyniIMI9q3o, there's no JWK in your jwks_uri with that kid. That being said, that value is present as x5t, which would be invalid.
If I may make a suggestion, get rid of the jwks_uri x5c and x5t, stick to kid only and expose the right kid.
If you're developing an OP you should be able to figure such things, ultimately also run the OP certification suite to verify your OP behaviours.
spikyjt
commented
5 years ago @panva you are a gentleman and a scholar! Thanks for taking the time to help me through this.
When calling
client.authorizationCallback()I get the following error:I've tried passing a Jose keystore to the Client constructor, as `keys is always empty in L139 of issuer.js, but that didn't help me.
I'm sure this is a configuration problem my end, but with the docs being somewhat light, I'm not sure where to go!
Thanks for providing this excellent library.