x5t value in JWT tokens is not correct as per the specifications hence JWT tokens cannot be validated by JWKS

[tharakawijekoon]

Describe the issue: Following improvement[1], the JWKS endpoint now returns the x5c value. Since the x5c value is returned in the JWKS response, libraries processing the JWTs are capable of computing the x5t value for each of the keys returned in the JWKS response to identify the corresponding key by checking whether the value matches with the x5t in the JWT token.

The x5t value that is currently generated by the Identity server is not correct because of an additional hexify step[2] that is performed, this hexify step is not correct and was fixed for the x5t#s256 value in the JWKS response through issue[3]. However, it is not fixed for the x5t generation in the JWT token generation flows(JWT access token and id token).

Because the x5t value generated by the Identity server is incorrect and not as per the specification[4], when these libraries try to validate the JWT tokens they will not be able to find the corresponding key from the JWKS endpoint[5].

How to reproduce:

• Set up an oauth2 service provider to issue JWT access tokens(id token can also be used).
• Validate the JWT token using the jose4j library[6]
• The following error would be observed:

  org.jose4j.jwt.consumer.InvalidJwtException: JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"x5t":"YjM4MjUxOTU5NjEyM2JjMWU0ZDkxZDBiMWM5ZGRhNjc0NTZiNGY5MQ","kid":"M2FmMWI2Y2ZmNDdjYTQ4MDY1ZTM2NmRmMjZkYmU1MGQxZWFkN2FiNmRlZWY5NDY0MDY4NjI5MjhkZjgxYmY2NQ_RS256","alg":"RS256"} from JWKs [org.jose4j.jwk.RsaJsonWebKey{kty=RSA, kid=M2FmMWI2Y2ZmNDdjYTQ4MDY1ZTM2NmRmMjZkYmU1MGQxZWFkN2FiNmRlZWY5NDY0MDY4NjI5MjhkZjgxYmY2NQ_RS256, use=sig, alg=RS256, n=jDA6imwZ5hJc-5PnzJG22WNf6Q8YFtS36CCzncne1G_JyuW4gwY8ZLjkXhwy7EpWbCxy8_GwooiRGaNxYdWisdPxMw8Zc49rdpel4f7QirTsag76JLjMUcX15I9r5I5DsLY8xADz7DS6N_xm8BClki4fQ4R4aqtAoYA35t02JHvoAfdYug1NwUiZ6F9pDmNybTDKt4cA6wCgXE3dOdns6HFU5M54pgU_wscFf6UduuTkif4L_rd5UkloyLfI387JifEADweQdcsrbHXXaw0E_GRUriyIIdiB_R2PP_2Aj9eA1_PTap_SUgbn6c_qPwzJG7w2ahw3Dxr69gkuTUWEoQ, e=AQAB, x5c=[MIIDBjCCAe6gAwIBAgIET5HXBjANBgkqhkiG9w0BAQQFADBFMRQwEgYDVQQDDAt0ZW5hbnQxLmNvbTENMAsGA1UECwwETm9uZTEPMA0GA1UECgwGTm9uZSBMMQ0wCwYDVQQGEwROb25lMB4XDTI0MDEyODEwMTE1NloXDTM0MDIyNDEwMTE1NlowRTEUMBIGA1UEAwwLdGVuYW50MS5jb20xDTALBgNVBAsMBE5vbmUxDzANBgNVBAoMBk5vbmUgTDENMAsGA1UEBhMETm9uZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIwwOopsGeYSXPuT58yRttljX+kPGBbUt+ggs53J3tRvycrluIMGPGS45F4cMuxKVmwscvPxsKKIkRmjcWHVorHT8TMPGXOPa3aXpeH+0Iq07GoO+iS4zFHF9eSPa+SOQ7C2PMQA8+w0ujf8ZvAQpZIuH0OEeGqrQKGAN+bdNiR76AH3WLoNTcFImehfaQ5jcm0wyreHAOsAoFxN3TnZ7OhxVOTOeKYFP8LHBX+lHbrk5In+C/63eVJJaMi3yN/OyYnxAA8HkHXLK2x112sNBPxkVK4siCHYgf0djz/9gI/XgNfz02qf0lIG5+nP6j8MyRu8NmocNw8a+vYJLk1FhKECAwEAATANBgkqhkiG9w0BAQQFAAOCAQEAG3uFRR8HihcVTN4/edWMtYjM/NzwCpYrXJEG65yZjtw0evhDVJw3/qBNL9Zb0ag3Fu+AyE7FO2PxL/Kl64O41OtUw+eHLemeoG4Rqb71gmCweDprEqLBdRCF/u2lN6TyR53VyJLR23/xzo3Ntan5GfaDSV71GStqBcOPHodcoRMjdyJv86QBM8DN1jmG/SHt+/ijAKUSr7hQyYq2iYLOZl2ISgMdEy9Mo0NQEwnzwYaNOi4m8iQtVec1rcQeafJo3GrfUwha3ToVxcgn1yZGDh2EYYIim1DEXhhG0ix5vZZbiTR5TPpHSFKBbBSmXiVFbo9Jsv7/OipdcUAX697AAg==]}] obtained from https://localhost:9443/t/tenant1.com/oauth2/jwks): JsonWebSignature{"x5t":"YjM4MjUxOTU5NjEyM2JjMWU0ZDkxZDBiMWM5ZGRhNjc0NTZiNGY5MQ","kid":"M2FmMWI2Y2ZmNDdjYTQ4MDY1ZTM2NmRmMjZkYmU1MGQxZWFkN2FiNmRlZWY5NDY0MDY4NjI5MjhkZjgxYmY2NQ_RS256","alg":"RS256"}->eyJ4NXQiOiJZak00TWpVeE9UVTVOakV5TTJKak1XVTBaRGt4WkRCaU1XTTVaR1JoTmpjME5UWmlOR1k1TVEiLCJraWQiOiJNMkZtTVdJMlkyWm1ORGRqWVRRNE1EWTFaVE0yTm1SbU1qWmtZbVUxTUdReFpXRmtOMkZpTm1SbFpXWTVORFkwTURZNE5qSTVNamhrWmpneFltWTJOUV9SUzI1NiIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImF1dCI6IkFQUExJQ0FUSU9OX1VTRVIiLCJhdWQiOiJMSW83QkkwTVFHWmcydHMzNkJ0VTM0M2J1dG9hIiwibmJmIjoxNzA5MDI5NzgyLCJhenAiOiJMSW83QkkwTVFHWmcydHMzNkJ0VTM0M2J1dG9hIiwic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE3MDkwMzMzODIsImlhdCI6MTcwOTAyOTc4MiwianRpIjoiOGRhZDRkNWYtNzdlOS00ZTJlLTljM2EtZmJiYmM2ZDg0OWYwIn0.fFSrxctNcfeFXKGOhKIhUpQHKvRHI1zuiq1br2RFsf82ZzqG9XjYoiI4YlIwtdLQ7B5Nim4g3InXj5pwhYyShv029rYK5kmZ7NztYYGEh5-dpI5fkZfXAOvCBPXPa-52SQekRFJ2vYrtbA_nzjepsMheaTVvSnObfsGvxsv7_6CKgv1ciVHsowzqDttmOEkeCxwQNgTTg9EH4Z-gWBGvmxa1T-sa9-mriNN985jBjTVwFd68QsJHHXCCLMrv2PVo-e0u8IbDLLbIiEB8OobQYvvRYObFnA71Y8qn-M5SNJry_u7p-PQJoGJlimQihiby1rzD8eBuDCuJX97hbpElCg]

Expected behavior: It should be possible to validate the JWT token issued by the server with its JWKS response.

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: [IS 5.11.0]

---

[1]https://github.com/wso2/product-is/issues/6686 [2]https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/3c36fc4bb338b8373099b80ab87fa0bdc07ea0f7/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L3279 [3]https://github.com/wso2/product-is/issues/18817 [4]https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.7 [5]https://bitbucket.org/b_c/jose4j/src/a3a21a6c3169e2fea87153a4fad53896f953abf2/src/main/java/org/jose4j/jwk/SimpleJwkFilter.java#lines-108 [6]https://bitbucket.org/b_c/jose4j/wiki/Home

[ImalshaG]

Fixed by https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/2400