Describe the bug
The openid-client bug is that any errors in the client.js jose.compactVerify function are not made visible or passed up the chain. The client throws a "failed to validate JWT signature" signature but doesn't include anymore data on why. It's not clear how I would get that troubleshooting if not from inside openid-client.
The error handling for that stanza should include data from the jose error, IMO. Maybe move the throw new RPError on L1055 up into that catch block?
To Reproduce
I was having a hard time troubleshooting why my authentication sessions were working with 4.9.1 and failing with anything newer. I realized that 5.0.0 updated the jose version, which had different tolerances for RSA key length. The dev suite I was working with had <2048 bit keys, and it was eventually resolved by updating the keys in the suite.
Expected behaviour
I worked around this by sneaking some logging into the library (at the catch line link above).
I'm not sure how else to get the troubleshooting data from jose (maybe it has a debug setting? Or somewhere outside of openid-client could somehow capture that data?). It would make more sense to report that back in the error, like other RPError statements in client.js do.
Environment:
openid-client version: 5.3.2
node version: 16.19.0
Additional context
[x] the bug is happening on latest openid-client too.
[x] I have searched the issues tracker on github for similar issues and couldn't find anything related.
Describe the bug The openid-client bug is that any errors in the client.js
jose.compactVerify
function are not made visible or passed up the chain. The client throws a "failed to validate JWT signature" signature but doesn't include anymore data on why. It's not clear how I would get that troubleshooting if not from inside openid-client.I think this area needs to be refactored: https://github.com/panva/node-openid-client/blob/10e3a37efe2635c4b21fba30f5646ef7cf2f4b95/lib/client.js#L1045
The error handling for that stanza should include data from the jose error, IMO. Maybe move the
throw new RPError
on L1055 up into that catch block?To Reproduce I was having a hard time troubleshooting why my authentication sessions were working with 4.9.1 and failing with anything newer. I realized that 5.0.0 updated the jose version, which had different tolerances for RSA key length. The dev suite I was working with had <2048 bit keys, and it was eventually resolved by updating the keys in the suite.
Expected behaviour I worked around this by sneaking some logging into the library (at the catch line link above).
I'm not sure how else to get the troubleshooting data from jose (maybe it has a debug setting? Or somewhere outside of openid-client could somehow capture that data?). It would make more sense to report that back in the error, like other RPError statements in client.js do.
Environment:
Additional context