No key matching kid found in signing keys

[cornelius-agrippa]

Hello,

I'm trying to sign in to an OIDC server based on MITREid Connect, however when I try to make a signinRedirect() using oidc-client-js, I get the error "No key matching kid found in signing keys".

I'm quite new to OIDC at the moment so I'm not sure if I'm missing some configuration. My sign in flow is written like this:

I've defined the UserManager globally like so:

var oidcSettings = {
  authority: 'http://<OIDC SERVER>/oidc',
  client_id: '<id defined in OIDC SERVER>',
  redirect_uri: 'http://localhost:3000/callback.html',
  post_logout_redirect_uri: 'http://localhost:3000/auth.html',
  response_type: 'id_token token',
  scope: 'openid profile email address phone'
};

var oidcMgr = new Oidc.UserManager(oidcSettings);

When the user clicks "Sign In", I simply do:

$('#button-signin').click(function() {
	oidcMgr.signinRedirect();
})

And send the user to callback.html, which does:

oidcMgr.signinRedirectCallback().then(function () {
	window.location = "index.html";
}).catch(function (e) {
	console.error(e);
	localStorage.setItem("sessionError", e);
});

And here I get the error I've mentioned.

What am I missing? Could I've missed some configuration on the OIDC server's side?

Thanks in advance for any help,
Best Regards

[brockallen]

Can you show an id_token and their metadata URL? Also, what version of the oidc-client are you using?

[cornelius-agrippa]

Hello,

I was using an older version provided by bower package manager. I updated it to the latest release provided here, and the error message is a bit more detailed: Error: No key matching kid or alg found in signing keys.

One of the ID tokens was: eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiYkRxYktHMjZhZ1p4S2YxTXdsZ2FyQSIsInN1YiI6IjkwMzQyLkFTREZKV0ZBIiwiYXVkIjoiOGNmZDgxMWItZTczYy00NDliLTllZjEtNzk2MWMxYTk4YWUwIiwiYXV0aF90aW1lIjoxNDg2NzQ2ODI5LCJraWQiOiJyc2ExIiwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImV4cCI6MTQ4Njc0NzQ2MSwiaWF0IjoxNDg2NzQ2ODYxLCJub25jZSI6ImFjZDQxN2E4N2MwZjQzN2ZiOTYxMzRmNGU1MDU3MmU1IiwianRpIjoiMDVmY2MyZWEtNzc4Ni00N2JlLWI0MGItNjI2MTA0YWU4Zjc0In0.jMfUDmP_6qm3b60A-5le-klJgwlBv6YtVmIY2u41xqk4uJmnjlKWaTiq5UZavEMhupqTEm4Ru82BWdV9B8GrRlP4NbDQMm-pFULfSdLJQpxWHs-utx1QDp4CDSEJ9zFD5s6sAiXBEp9gy8WyCvpRbv9cl4c4p0MmFllIP1nziRyTrstjEmunsu2ckhJLM4_YZ_uQg_H5tP_8VOJlJ7s-oHPrF-sENCQwQy6-76xvRCCVZcA28hJM3e825e44C1lRjv0YQAwL7DmYedwzJLJQKgHHcKbOhcQq6mWdtjL_7jRPNwtnpO_DPba-3sFgdcG3BoSvcZrcsJyk2KvZTdYVLQ

Pardon my ignorance but what do you mean by metadata URL? When I inquire the http://(OIDC SERVER)/jwk endpoint (JSON Web Key Set (public key)), it returns:

{"keys":[{
    "kty":"RSA",
    "e":"AQAB",
    "kid":"rsa1",
    "alg":"RS256",
    "n":"qt6yOiI_wCoCVlGO0MySsez0VkSqhPvDl3rfabOslx35mYEO-n4ABfIT5Gn2zN-CeIcOZ5ugAXvIIRWv5H55-tzjFazi5IKkOIMCiz5__MtsdxKCqGlZu2zt-BLpqTOAPiflNPpM3RUAlxKAhnYEqNha6-allPnFQupnW_eTYoyuzuedT7dSp90ry0ZcQDimntXWeaSbrYKCj9Rr9W1jn2uTowUuXaScKXTCjAmJVnsD75JNzQfa8DweklTyWQF-Y5Ky039I0VIu-0CIGhXY48GAFe2EFb8VpNhf07DP63p138RWQ1d3KPEM9mYJVpQC68j3wzDQYSljpLf9by7TGw"
}]}

Is this what you mean?

What could be wrong? Is it not interpreting signing key algorithm, or is it using an unsupported one?

[brockallen]

Well, the id_token has a kid and that seems to match what's in the keys. Do you mind debugging thru the code to find where the validation seems to fail and decide the key doesn't match?

[brockallen]

Oh, I bet it's because there's no "use":"sig" in the keys... I've been meaning to fix that. I'll fix it and update npm. Please hold.

[brockallen]

Ok, I pushed oidc-client@1.3.0-beta.3 to npm. Please try again.

[cornelius-agrippa]

Ah, indeed that fixed it! Thank you very much.

[blocka]

I'm having an issue now. My OIDC server (Anvil Connect https://github.com/anvilresearch/connect) does not return a kid, but does have a use key. It is choking on me as it can't figure out which key is for signing.

[brockallen]

@blocka open a new issue if you think there's the need to make a change here to accommodate your situation

[tomshane]

After switching from "Test" IdentityServer configuration to EF Core storage and ASP.NET Core Identity configuration, on my JS client, I'm getting this error ("No key matching kid or alg found in signing keys").

jwks endpoint returns:

{
  "keys":
  [
    {
      "kty": "RSA",
      "use": "sig",
      "kid": "ba583f56ce1a7a1e0a09236d7205fd78",
      "e": "AQAB",
      "n": "ykISgU8UZV4klvnBC_7jv8lcQyMdLxOOkV-73WueVb0MjBxTOfK0nYzBSs0-ouPC5gLtkC4TqL3kGGZQOIMV7AZV6G81BhRsA1y2Zy00NtlPRKwU7Y_VUGdH9aGtE4CwyVXmkENxKh8VpETsIaYuAjQdz75YQQoOjdVFyEeVoRMmaFzgx5wBinWpR4i8AKn554KW2vk6gIfcwUm18RimJiOA4lglbAJB-Ihw-zFzRzzbdVw90avvAPugqDA2pWKEeyl6CQVied7fIGUldCIkstMzZPM-Yg1a_GQOvtOZb1mVN_Y3QUJGmL9uRGVIwiILRbDYc0Q9JJPMgM2pI2tb3Q"
    }
  ]
}