Closed verybox0 closed 4 years ago
Setting an expected id token signing alg is expected. No issue there.
But Yahoo's EC JWK in https://api.login.yahoo.com/openid/v1/certs is invalid, that's why the client can't use it. The client ignores the "import key" error as it should, that's why the error says no valid key found in issuer's jwks_uri for key parameters
.
Notice the EC JWK y property, notice the different length here compared to x, something's up with how they encode the coordinates. Not a client issue.
const j=require('jose')
> j.JWK.asKey({
... "kty": "EC",
... "alg": "ES256",
... "use": "sig",
... "crv": "P-256",
... "kid": "3466d51f7dd0c780565688c183921816c45889ad",
... "x": "cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I",
... "y": "AK8V_Tgg_ayGoXiseiwLOClkekc9fi49aYUQpnY1Ay_y" // notice the different length here, somethings up with how they encode the coordinates
... })
> Thrown:
> Error: error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding
> at createPublicKey (internal/crypto/keys.js:321:10)
> at Object.asKey (/Users/panva/repo/ultimate-jose/lib/jwk/import.js:77:19) {
> opensslErrorStack: [
> 'error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error',
> 'error:100D708E:elliptic curve routines:eckey_pub_decode:decode error',
> 'error:10098010:elliptic curve routines:o2i_ECPublicKey:EC lib'
> ],
> library: 'elliptic curve routines',
> function: 'ec_GFp_simple_oct2point',
> reason: 'invalid encoding',
> code: 'ERR_OSSL_EC_INVALID_ENCODING'
> }
Thanks for the explanation, very clear and helpful.
I really like this extension.
Cheers
Bin
Filip Skokan notifications@github.com 于2020年4月12日周日 上午12:15写道:
const j=require('jose')
j.JWK.asKey({ ... "kty": "EC", ... "alg": "ES256", ... "use": "sig", ... "crv": "P-256", ... "kid": "3466d51f7dd0c780565688c183921816c45889ad", ... "x": "cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I", ... "y": "AK8V_Tgg_ayGoXiseiwLOClkekc9fi49aYUQpnY1Ay_y" ... })
Thrown: Error: error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding at createPublicKey (internal/crypto/keys.js:321:10) at Object.asKey (/Users/panva/repo/ultimate-jose/lib/jwk/import.js:77:19) { opensslErrorStack: [ 'error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error', 'error:100D708E:elliptic curve routines:eckey_pub_decode:decode error', 'error:10098010:elliptic curve routines:o2i_ECPublicKey:EC lib' ], library: 'elliptic curve routines', function: 'ec_GFp_simple_oct2point', reason: 'invalid encoding', code: 'ERR_OSSL_EC_INVALID_ENCODING' }
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/panva/node-openid-client/issues/249#issuecomment-612407379, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACVTWRDJM4DAO2HMNJ4FGKLRMBNOHANCNFSM4MF5LC4Q .
in Yahoo discovery url => https://api.login.yahoo.com/.well-known/openid-configuration it shows it support both "ES256" and "RS256", also, node-openid-client by default will use RS256, however, when yahoo returns, it complaints: unexpected JWT alg received, expected RS256, got: ES256
I also changed => id_token_signed_response_alg: "ES256" in Client object, however, when yahoo returns, I got: RPError: no valid key found in issuer's jwks_uri for key parameters {"kid":"3466d51f7dd0c780565688c183921816c45889ad","alg":"ES256"}
Only Yahoo got the issue, I tried Google and Microsoft, they both fine.