search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Strange initial EVP_CIPHER_CTX_set_key_length:invalid key length error #158

Closed robtweed closed 5 years ago

robtweed commented 5 years ago

I'm getting a weird problem when authenticating against a provider that uses "token_endpoint_auth_method": "private_key_jwt". First time the client.authorizationCallback() is called, I get a crash reporting:

Unhandled Rejection at: Promise Promise {

{ Error: error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length at Sign.sign (crypto.js:331:26) at nodejs (/opt/qewd/node_modules/node-jose/lib/algorithms/rsassa.js:76:19) at main (/opt/qewd/node_modules/node-jose/lib/algorithms/helpers.js:110:42) at Object.exports.sign (/opt/qewd/node_modules/node-jose/lib/algorithms/index.js:82:10) at JWKBaseKeyObject.value (/opt/qewd/node_modules/node-jose/lib/jwk/basekey.js:470:25) at /opt/qewd/node_modules/node-jose/lib/jws/sign.js:143:21 at Array.map () at /opt/qewd/node_modules/node-jose/lib/jws/sign.js:119:21 at at process._tickCallback (internal/process/next_tick.js:189:7) Next and subsequent times I go through the authentication process of logging in, I don't get this error and I get authenticated and correctly re-directed. I've managed to trace it as far as somewhere between lines 951 - 959 in /lib/client.js - ie in the authFor() method. It gets successfully into the node-jose JWS.createSign() method, and each time that is called with the exact same arguments. Any ideas what might be causing the error and why it only happens the first time? Happy to try further probes that you might suggest
panva commented 5 years ago

@robtweed

Can you provide the private key with which this is happening? (obviously not the one you use).

Also a snippet of how you discover the issuer and instantiate the client.

Thank you.

robtweed commented 5 years ago

Many thanks - Can I send by private message?

panva commented 5 years ago

I'd prefer you share here, hence asking you not to provide your actual private key material.

robtweed commented 5 years ago

Tricky since the problem is with the private key whose public key we're registered on the OIDC Provider

panva commented 5 years ago

Is the issue ONLY happening with that private key and not others? I'd really like you to provide steps to reproduce but if it helps send an email with a private gist that you can delete when we're done looking into this.

robtweed commented 5 years ago

The issuer configuration object is { "client_id": "", "client_secret": "", "token_endpoint_auth_method": "private_key_jwt", "token_endpoint_auth_signing_alg": "RS512", "token_endpoint_auth_signing_alg_values_supported": [ "RS512" ], "id_token_signed_response_alg": "RS512" }

I had this working on their test OIDC Provider with the same private/public key pair

robtweed commented 5 years ago

client_id and client_secret nulled out - I do specify actual values :-)

panva commented 5 years ago

Do you recognize a difference between Issuer and Client configuration? What's the issuer and how do you instantiate? Discovery or manually? I really need more tangible and well-formatted input if i'm to help and not waste time :) Private material via email (see my github profile for address)

robtweed commented 5 years ago

After some further investigation, prompted indirectly by suggestions by @panva, it turned out to be due to me running on Node.js v8. Upgrading to Node.js v10 appears to have fixed the problem. I suspect the problem was due to some inconsistencies in the crypto module in Node.js v8.

Anyway, hopefully this will be a useful discovery should anyone else hit a similar problem.

Huge thanks to @panva for his invaluable help and this awesome module!