search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

no valid key found in issuer's jwks_uri for key parameters #277

Closed manudeep96 closed 4 years ago

manudeep96 commented 4 years ago

I am trying to use this with azure ad as the IDP following the Authorization Code Flow. Once I get back the auth code client.callback() method throws this error: "no valid key found in issuer's jwks_uri for key parameters {"kid":"","alg":"RS256"}"

The issuer object returned from Issuer.discover('https://login.microsoftonline.com/<my tenant id goes here (also tried with common)>/v2.0/.well-known/openid-')
gives: "jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys" which has different kid s than the one mentioned in the error. I have no idea where the kid mentioned in the error is coming from.

To Reproduce Issuer and Client configuration: (inline or gist) - Don't forget to redact your secrets.

// Issuer configuration (issuer.metadata) and how it is constructed (discovery or manual?)
{
const azureIssuer = await Issuer.discover(https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration)
}
// Client configuration (client.metadata) and how it is constructed (fromUri or manual?)
{
    clientObj = new azureIssuer.Client({
        client_id: '<my client id>',
        client_secret: '<my client secret>',
        redirect_uris: ['<my https ngrok url>/callback'],
        response_types: ['code'],
    })
}

const code_verifier = generators.codeVerifier();

const code_challenge = generators.codeChallenge(code_verifier);

client.authorizationUrl({
  scope: 'openid email profile',
  //did not add a resource parameter.
  code_challenge,
  code_challenge_method: 'S256',
});

Steps to reproduce the behaviour:

  1. I followed the documentation at https://www.npmjs.com/package/openid-client
  2. Used https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration for discovery as my app uses azure as IDP
  3. After getting the auth code in the callback request, client.callback('/callback(my redirect uri)>', params, { code_verifier }) throws the error: "no valid key found in issuer's jwks_uri for key parameters {"kid":"some kid different than the one in azure discovery endpoint","alg":"RS256"}"

Expected behaviour I expect the auth code to be exchanged for the token and the token to be validated without any errors.

Environment:

panva commented 4 years ago

Please include the “kid” values And your tenant ID. Thank you.

panva commented 4 years ago

Also the id token values. You can get the jwt from the error object.

manudeep96 commented 4 years ago

RPError: no valid key found in issuer's jwks_uri for key parameters {"kid":"TduEWfDS_XG7693V9CSicOeRqbg","alg":"RS256"}

I got the same error with this common end-point. https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

panva commented 4 years ago

@manudeep96 if you're discovering https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration which leads to https://login.microsoftonline.com/common/discovery/v2.0/keys and get an ID Token with kid header parameter TduEWfDS_XG7693V9CSicOeRqbg, that's a problem you should raise with AAD. openid-client is doing all as it should, it looks at the JWT header, downloads the keys from a location that was discovered, attempts to lookup one based on the JWT header, not found, throw. No bug in sight here.

manudeep96 commented 4 years ago

Thanks. That made me read some azure docs and I realized my app had custom signing keys as a result of the claims mapping feature and the discovery end point needed appid as a parameter for me to get the right jwks_uri.