[(main)] update public key for client:systematic-columna-cura-test

[ohetrifork]

Any preferred installation date? Or just as soon as possible?

[CuraDevelopment]

We would like it as soon as possible please, as we cannot currently test our integration with gateway.

[ohetrifork]

Allright, I'll put in into pipeline for the next deployment. It will probably be handled by the change board on Tuesday 16/5

[ohetrifork]

The deployment will happen on Monday 22/5 at 10-11 o'clock

[CuraDevelopment]

Any updates on this?

[ohetrifork]

Yes, I forgot to update this issues yesterday. The change was performed yesterday 10-11.

[ohetrifork]

The previous public key in this merge request was actually release on May 22, but for some reason I didn't merge this branch. I can see you have committed a new public key - would you like to have that activated on the test environment?

[CuraDevelopment]

We would like it as soon as possible please.

[ohetrifork]

I'll bring the update to a pre-cab meeting next Tuesday and schedule the deployment for 5. October 8.00-9.00

[ohetrifork]

@CuraDevelopment will you be able to verify the public key update tomorrow? It will be installed between 8 and 9 in the morning

[ohetrifork]

@CuraDevelopment the change is now complete. Is it possible for you to verify?

[CuraDevelopment]

@ohetrifork Sorry for late response, but we tested this only on Friday and got following error "Client authentication with signed JWT failed: Signature on JWT token failed validation" when calling https://saml.test001.ehealth.sundhed.dk/auth/realms/ehealth/protocol/openid-connect/token. Could you please double check that everyting fine on your end? (request time stamp 2023-10-06 14:37:28.213)

[ohetrifork]

@nigtrifork Do you see a reason why Systematic would be getting the above error? Could there be a new certificate on the Kombit STS?

[ohetrifork]

@CuraDevelopment could you paste your JWT here? Looks like certificates are ok on KL-Gateway

[nigtrifork]

@CuraDevelopment could you also verify that you have updated the kid claim value according to https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/2187362305/SAML+Assertion+to+JWT+Exchange#Obtaining-the-kid-from-a-Public-key

[CuraDevelopment]

JWT seem to be fine: eyJraWQiOiJoVU1DbmhBLTVuaEwtc2N0Qkh6WnpQX2o5V3lNeUNsNnBsSlEzbVBwRjFrIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzeXN0ZW1hdGljLWNvbHVtbmEtY3VyYS10ZXN0IiwiYXVkIjoiaHR0cHM6Ly9zYW1sLnRlc3QwMDEuZWhlYWx0aC5zdW5kaGVkLmRrL2F1dGgvcmVhbG1zL2VoZWFsdGgvcHJvdG9jb2wvb3BlbmlkLWNvbm5lY3QvdG9rZW4iLCJuYmYiOjE2OTcxMDIwMTUsImlzcyI6InN5c3RlbWF0aWMtY29sdW1uYS1jdXJhLXRlc3QiLCJleHAiOjE2OTcxMDIzMTUsImlhdCI6MTY5NzEwMjAxNSwianRpIjoiNWJiOWIzMjUtOWYzOS00Njg4LTllMzktY2RlNWEwOThhNjhjIn0.kf7IStytAx_MeV8w2iseFiKXTPzxn5hp-hFqJCyOW7iAsR0D6tOcptvxR78lcpy2J7bDpxGMRSeE5S_4rKJYozYZH1uWKVa-EIQPvlMkq8yj8vkiJHAXWQa1OpGxsDUGzCQK9pyPAi_ZeUrKAGXtp-Fq7PQGPA9lqyv4aV1K27yrE5sI25hy80WFMprvtKPp3MHNUcx7hncIxD_Hl5sQMhPwCK6DDIApqRo5teLF19HviCe_t5cSVHUQzr2MS9mhA8JQ3NikFN4GtZ4AWalkXgDpB-R6HKD_ERnPi0-RciM_V_TLtNrf_XmUb8lz-TVCb_nP1gF6ZnUuv2AhVqe8mwWdENSFctOH8oIBSa-VSCeGRC-sd-uIc4dnzG7IPS7fLd1C2_dWiTVw-vgRkpnZzwfkXdjMrCiciPwrAG4rqdn_utoNszGxpAMc4VaZ2pMVPOhJucR8hGMUFbAe6nVMPjYW1RqXIHXHTqOVou7fPu8vvTXmZQ0h3LI10ceAPAZU In regards to kid update - it is calculated by code from public key and this is working same way as for previous public key upgrade.

[CuraDevelopment]

Any updates on this?It is becoming to be critical on our end

[nigtrifork]

@CuraDevelopment The signature in the JWT example can not be verified by the provided public key. This is why it is rejected.

You can check this by pasting the JWT and public key here: https://jwt.io/

[nigtrifork]

Here's a valid example: valid jwt

And the one provided: provided jwt

[CuraDevelopment]

My bad. I've created new pull request with updated public key. Could you please accept this on your end? https://github.com/trifork/klg-docs/pull/52

[ohetrifork]

We are not allowed to make certificate updates without following a change process, but we have a deployment scheduled for Thursday 19/10, where we can include the new key. That deployment, however, disables the service security - but as your issue is with the token exchange, that is before actually calling the service, so you should be able to move a step forward. I will give you a heads up when the new key is installed on Thursday

[ohetrifork]

@CuraDevelopment the new public key is now active.