Can't add character: "The JWT signature was invalid: Invalid audience"

[TomRichter]

Bug Report

When adding a character in SSO Character Management, the process fails due to "invalid audience" in JWT.

This happens with a clean install of release v2.40.0, even after deleting all settings files. Used to work in older versions but not sure how far back since I've been AFK a few months.

Logs included below but seem useless for this. They only mention starting and stopping the internal web server -- nothing about which character was chosen or even receiving a failed attempt.

Local time zone is UTC-5.

Expected behavior:

Adding a character should complete with a success message in browser and a new or updated character in pyfa.

Actual behavior:

After logging into EVE SSO and picking a character, the browser displays the following error and no character is added:

pyfa

Error!

The JWT signature was invalid: Invalid audience

Detailed steps to reproduce:

0. Uninstall pyfa and delete or rename %userprofile%/.pyfa to completely clear settings.
1. Install pyfa 2.40.0 from GitHub Releases.
2. In pyfa, click Character > Manage ESI Characters > Add Character.
3. In the browser, log into EVE SSO and authorize a character.
4. Note the browser displaying an error message about "invalid audience":
5. Note pyfa is still waiting for a response from EVE SSO:

Release or development git branch? Please note the release version or commit hash:

Downloaded from release branch via GitHub Releases.

pyfa Version v2.40.0 EVE Data Version: 2013787 (2022-03-08 16:11:05)

Operating system and version (eg: Windows 10, OS X 10.9, OS X 10.11, Ubuntu 16.10):

• Edition: Windows 10 Pro
• Version: 21H2
• OS build: 19044.1620
• Experience: Windows Feature Experience Pack 120.2212.4170.0

Other relevant information:

[2022-03-28 23:13:32.119585] INFO: __main__: Starting Pyfa
[2022-03-28 23:13:32.119585] INFO: __main__:
[2022-03-28 23:13:32.119585] INFO: __main__: Writing log file to: C:\Users\User\.pyfa\pyfa.log
[2022-03-28 23:13:32.119585] INFO: __main__: Running in a frozen state.
[2022-03-28 23:13:32.135588] INFO: eos.db: Initializing database
[2022-03-28 23:13:32.135588] INFO: eos.db: Gamedata connection: sqlite:///C:\Program Files\pyfa\eve.db?check_same_thread=False
[2022-03-28 23:13:32.135588] INFO: eos.db: Saveddata connection: sqlite:///C:\Users\User\.pyfa\saveddata.db?check_same_thread=False
[2022-03-28 23:13:32.135588] DEBUG: eos.db: Initializing gamedata
[2022-03-28 23:13:32.140590] DEBUG: eos.db: Getting gamedata version
[2022-03-28 23:13:32.143733] DEBUG: eos.db: Initializing saveddata
[2022-03-28 23:13:32.143733] DEBUG: eos.db: Importing gamedata DB scheme
[2022-03-28 23:13:32.219626] DEBUG: eos.db: Importing saveddata DB scheme
[2022-03-28 23:13:32.287623] DEBUG: eos.db: Importing gamedata queries
[2022-03-28 23:13:32.287623] DEBUG: eos.db: Importing saveddata queries
[2022-03-28 23:13:32.287623] DEBUG: service.prefetch: Run database migration.
[2022-03-28 23:13:32.298590] DEBUG: service.prefetch: Starting database validation.
[2022-03-28 23:13:32.298590] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for character skills.
[2022-03-28 23:13:32.299589] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for orphaned characters attached to fits.
[2022-03-28 23:13:32.302665] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for orphaned damage patterns attached to fits.
[2022-03-28 23:13:32.305587] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for missing damage pattern names.
[2022-03-28 23:13:32.307599] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for missing target resist names.
[2022-03-28 23:13:32.310586] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for orphaned drones items.
[2022-03-28 23:13:32.311585] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for orphaned cargo items.
[2022-03-28 23:13:32.313588] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for orphaned fighters items.
[2022-03-28 23:13:32.315590] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for orphaned modules items.
[2022-03-28 23:13:32.316590] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for null damagePatterns values. (em)
[2022-03-28 23:13:32.317586] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for null damagePatterns values. (thermal)
[2022-03-28 23:13:32.319590] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for null damagePatterns values. (kinetic)
[2022-03-28 23:13:32.322593] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for null damagePatterns values. (explosive)
[2022-03-28 23:13:32.324585] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for null targetResists values. (em)
[2022-03-28 23:13:32.326627] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for null targetResists values. (thermal)
[2022-03-28 23:13:32.327586] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for null targetResists values. (kinetic)
[2022-03-28 23:13:32.328586] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for null targetResists values. (explosive)
[2022-03-28 23:13:32.330586] DEBUG: eos.db.saveddata.databaseRepair: Running database cleanup for duplicated selected ammo profiles.
[2022-03-28 23:13:32.332671] DEBUG: service.prefetch: Completed database validation.
[2022-03-28 23:13:32.345586] DEBUG: gui.app: Setting language to: en_US
[2022-03-28 23:13:33.800318] INFO: gui.bitmap_loader: Using local image files.
[2022-03-28 23:13:33.804495] DEBUG: gui.contextMenu: registering context menu class OpenFitInNewTab
[2022-03-28 23:13:33.805341] DEBUG: gui.contextMenu: registering context menu class AddBrowsedFits
[2022-03-28 23:13:33.808341] DEBUG: gui.contextMenu: registering context menu class AddCurrentlyOpenFit
[2022-03-28 23:13:33.808341] DEBUG: gui.contextMenu: registering context menu class AddEnvironmentEffect
[2022-03-28 23:13:33.969467] DEBUG: service.market: Initialize ShipBrowserWorkerThread.
[2022-03-28 23:13:34.187210] DEBUG: service.fit: Initialize Fit class
[2022-03-28 23:13:34.279859] DEBUG: service.fit: Getting fits with modules
[2022-03-28 23:13:34.282869] DEBUG: gui.contextMenu: registering context menu class AddCommandFit
[2022-03-28 23:13:34.283866] DEBUG: gui.contextMenu: registering context menu class TargetProfileAdder
[2022-03-28 23:13:34.284863] DEBUG: gui.contextMenu: registering context menu class ChangeShipTacticalMode
[2022-03-28 23:13:34.285864] DEBUG: gui.contextMenu: registering context menu class ChangeModuleAmmo
[2022-03-28 23:13:34.285864] DEBUG: gui.contextMenu: registering context menu class ChangeModuleSpool
[2022-03-28 23:13:34.285864] DEBUG: gui.contextMenu: registering context menu class BoosterSideEffects
[2022-03-28 23:13:34.286865] DEBUG: gui.contextMenu: registering context menu class FighterAbilities
[2022-03-28 23:13:34.286865] DEBUG: gui.contextMenu: registering context menu class TargetWrapperResists
[2022-03-28 23:13:34.288869] DEBUG: gui.contextMenu: registering context menu class TargetProfileEditorMenu
[2022-03-28 23:13:34.310855] DEBUG: gui.contextMenu: registering context menu class ItemStats
[2022-03-28 23:13:34.311862] DEBUG: gui.contextMenu: registering context menu class JumpToMarketItem
[2022-03-28 23:13:34.311862] DEBUG: gui.contextMenu: registering context menu class FitSystemSecurityMenu
[2022-03-28 23:13:34.312939] DEBUG: gui.contextMenu: registering context menu class JumpToShip
[2022-03-28 23:13:34.312955] DEBUG: gui.contextMenu: registering context menu class RemoveItem
[2022-03-28 23:13:34.312955] DEBUG: gui.contextMenu: registering context menu class ChangeItemAmount
[2022-03-28 23:13:34.313949] DEBUG: gui.contextMenu: registering context menu class ChangeItemProjectionRange
[2022-03-28 23:13:34.313949] DEBUG: gui.contextMenu: registering context menu class DroneSplitStack
[2022-03-28 23:13:34.314947] DEBUG: gui.contextMenu: registering context menu class ChangeItemToVariation
[2022-03-28 23:13:34.314947] DEBUG: gui.contextMenu: registering context menu class ChangeItemMutation
[2022-03-28 23:13:34.314947] DEBUG: gui.contextMenu: registering context menu class FillWithModule
[2022-03-28 23:13:34.402478] DEBUG: gui.contextMenu: registering context menu class ExportMutatedModule
[2022-03-28 23:13:34.402478] DEBUG: gui.contextMenu: registering context menu class ChangeAffectingSkills
[2022-03-28 23:13:34.403477] DEBUG: gui.contextMenu: registering context menu class FillWithItem
[2022-03-28 23:13:34.403477] DEBUG: gui.contextMenu: registering context menu class DroneAddStack
[2022-03-28 23:13:34.403477] DEBUG: gui.contextMenu: registering context menu class AddToCargo
[2022-03-28 23:13:34.404478] DEBUG: gui.contextMenu: registering context menu class AddToCargoAmmo
[2022-03-28 23:13:34.404478] DEBUG: gui.contextMenu: registering context menu class ProjectItem
[2022-03-28 23:13:34.404478] DEBUG: gui.contextMenu: registering context menu class AmmoToDmgPattern
[2022-03-28 23:13:34.407480] DEBUG: gui.contextMenu: registering context menu class ImplantSetApply
[2022-03-28 23:13:34.407480] DEBUG: gui.contextMenu: registering context menu class ImplantSetSave
[2022-03-28 23:13:34.407480] DEBUG: gui.contextMenu: registering context menu class DronesPrice
[2022-03-28 23:13:34.407480] DEBUG: gui.contextMenu: registering context menu class CargoPrice
[2022-03-28 23:13:34.407480] DEBUG: gui.contextMenu: registering context menu class ImplantBoosterPrice
[2022-03-28 23:13:34.408481] DEBUG: gui.contextMenu: registering context menu class ChangeDamagePattern
[2022-03-28 23:13:34.408481] DEBUG: gui.contextMenu: registering context menu class FactorReload
[2022-03-28 23:13:34.408481] DEBUG: gui.contextMenu: registering context menu class TargetProfileSwitcher
[2022-03-28 23:13:34.409478] DEBUG: gui.contextMenu: registering context menu class GraphDmgApplyProjectedMenu
[2022-03-28 23:13:34.409478] DEBUG: gui.contextMenu: registering context menu class GraphDmgIgnoreResistsMenu
[2022-03-28 23:13:34.409478] DEBUG: gui.contextMenu: registering context menu class GraphIgnoreLockRangeMenu
[2022-03-28 23:13:34.409478] DEBUG: gui.contextMenu: registering context menu class GraphIgnoreDcrMenu
[2022-03-28 23:13:34.410478] DEBUG: gui.contextMenu: registering context menu class GraphDmgDroneModeMenu
[2022-03-28 23:13:34.410478] DEBUG: gui.contextMenu: registering context menu class AdditionsExportAll
[2022-03-28 23:13:34.410478] DEBUG: gui.contextMenu: registering context menu class AdditionsExportAll
[2022-03-28 23:13:34.411480] DEBUG: gui.contextMenu: registering context menu class AdditionsImport
[2022-03-28 23:13:34.471478] DEBUG: gui.statsPane: Setting full view for: resources
[2022-03-28 23:13:34.471478] DEBUG: gui.statsPane: Setting full view for: resistances
[2022-03-28 23:13:34.471478] DEBUG: gui.statsPane: Setting full view for: recharge
[2022-03-28 23:13:34.471478] DEBUG: gui.statsPane: Setting full view for: firepower
[2022-03-28 23:13:34.472477] DEBUG: gui.statsPane: Setting full view for: outgoing
[2022-03-28 23:13:34.472477] DEBUG: gui.statsPane: Setting full view for: capacitor
[2022-03-28 23:13:34.472477] DEBUG: gui.statsPane: Setting minimal view for: targetingMisc
[2022-03-28 23:13:34.472477] DEBUG: gui.statsPane: Setting full view for: price
[2022-03-28 23:13:34.514494] DEBUG: gui.mainFrame: Done loading mainframe imports
[2022-03-28 23:13:34.515493] DEBUG: gui.mainFrame: Initialize MainFrame
[2022-03-28 23:13:35.161462] DEBUG: gui.marketBrowser: Initialize marketBrowser
[2022-03-28 23:13:35.175436] DEBUG: gui.builtinMarketBrowser.marketTree: Initialize marketTree
[2022-03-28 23:13:35.229521] DEBUG: gui.builtinMarketBrowser.itemView: Initialize ItemView
[2022-03-28 23:13:35.275549] DEBUG: gui.shipBrowser: Populate ship category list.
[2022-03-28 23:13:35.678218] DEBUG: service.fit: Changing character (1) for fit ID: None
[2022-03-28 23:13:35.708217] DEBUG: gui.statsPane: Load view: resourcesViewFull
[2022-03-28 23:13:35.917520] DEBUG: gui.statsPane: Load view: resistancesViewFull
[2022-03-28 23:13:36.018856] DEBUG: gui.statsPane: Load view: rechargeViewFull
[2022-03-28 23:13:36.096228] DEBUG: gui.statsPane: Load view: firepowerViewFull
[2022-03-28 23:13:36.142280] DEBUG: gui.statsPane: Load view: outgoingViewFull
[2022-03-28 23:13:36.178256] DEBUG: gui.statsPane: Load view: capacitorViewFull
[2022-03-28 23:13:36.215424] DEBUG: gui.statsPane: Load view: targetingMiscViewMinimal
[2022-03-28 23:13:36.279328] DEBUG: gui.statsPane: Load view: priceViewFull
[2022-03-28 23:13:36.335780] DEBUG: gui.mainMenuBar: Initialize MainMenuBar
[2022-03-28 23:13:36.588884] DEBUG: service.update: Starting Check Update Thread.
[2022-03-28 23:14:27.532690] INFO: service.settings: using "lang" to fetch languages, relatively base path "C:\Program Files\pyfa"
[2022-03-28 23:15:05.254205] DEBUG: service.esi: Starting server
[2022-03-28 23:15:14.295744] DEBUG: service.esi: Stopping Server
[2022-03-28 23:15:14.296738] WARNING: service.server: Setting pyfa server to stop.
[2022-03-28 23:15:16.829463] INFO: service.settings: using "lang" to fetch languages, relatively base path "C:\Program Files\pyfa"
[2022-03-28 23:15:19.868698] CRITICAL: gui.builtinPreferenceViews.pyfaLoggingPreferences: Dump log button was pressed. Writing all logs to log file.

[shapesinaframe]

+1 (on MacOS 12.3 (21E230))

[TomRichter]

Looks like it's due to an unannounced change from today, via #sso in Tweetfleet Slack:

Eingang Vulpine

@CCP Ghostrider JWT Validation Broken It looks like you guys might have changed something this afternoon. Anyone that has applications that validate JWTs as part of the auth flow are failing to authenticate with errors like "The JWT signature was invalid: Invalid audience" My logs are clogged with these errors starting at 16:00 GMT, but anecdotal evidence suggests it started earlier than that, but was still fine around 10:30 GMT this morning. Applications that don't do the right thing by validating the JWT work fine for logging in via the SSO.

CCP Ghostrider

We added the “aud” claim (it wasn’t there before). Either set the expected aud value to “EVE Online” or disable audience validation. Adding claims isn’t a breaking change.

Erik Kalkolken :nerd_face:

Yes, adding new claim in general is not a breaking change, but going from not using aud to using aud is a breaking change.

e.g. your code example for verifying JWTs will no longer work, because you need to specify the aud value . https://github.com/esi/esi-docs/blob/master/examples/python/sso/validate_jwt.py#L52

algorithms=jwk_set["alg"],

CCP Ghostrider

Then why did it work without one? Either it should try to validate the aud claim or not and if so, error if its missing instead of just skipping it?

Hiro Logos

From the JWT spec https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3

The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case-sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL.

So anyone not specifying an “aud” when validating the JWT, if they're following the spec, MUST reject all JWTs. And since no one could have known what value to expect ahead of time, it is a breaking change

Golden Gnu

Yes, everyone who is correctly validating the JWT are now rejecting all tokens, so, while it's possible to ignore aud, had it been announced in advance, that is not something anyone could have guessed they needed to do, without prior notice.

[ghost]

CCP has updated their example for handling the "aud" claim. https://github.com/esi/esi-docs/pull/69