JWT token could not be authenticated with JWKS

[killjoy2013]

Describe the bug

We're generating our own JWT & authenticate it with endpoint http://localhost:3100/.well-known/jwks.json

We're supplying the keys sets in the same shape as in https://www.apollographql.com/docs/router/configuration/authn-jwt/#jwks-format

{
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "kid": "abc123",
      "alg": "RS256",
      "n": "AK_5CG1BIC_TkCJi3fjmM5ZvxeolLdH8jZa3-HIhrrGobSkwDHLQT6RcVHTQJ4okd7DXCKR76MPLQl22DTj-fmAoc_fvIPy0WnIyPj3ByGb35HCs_Nc_oVD2TtUV7OXmFI62kPBvHHA7yGBuukk4eWtuI6dHNXMhLc3pQi3Y8ZIAsPNc2zeuCyhBOd4bNqY0PdWoiK2ZWdy1ILXJVUN2l6DgZO4zw2vySOqDdQecZenlNE9ZC0ZQ10iHU_5aXCj-t1oXeTA1OTLaXe4J8F2Qy6LpQkJ5c_Y2D6KRfIAa1K-gEee2VmDOEnXlxnPul538cp7W025Yi-aZuY2Yh61KQD2eBOC6dq2ffZFN4ga8U96M6lX4rwMgFYmNob51groZKY4ssjOSYuakqC5QKtuyH-7LOV5GEyxZE-15V8EOEHh9QLz9IQLwU8YvKUra3qggFoIbQQjOVpHRJoOw9j0C2Lowb43Hu5__DerD8e9KFA3ZjfZygbjpnwYvXb-77b6BbQ",
      "e": "AQAB"
    }
  ]
}

Our public key;

-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr/kIbUEgL9OQImLd+OYz
lm/F6iUt0fyNlrf4ciGusahtKTAMctBPpFxUdNAniiR3sNcIpHvow8tCXbYNOP5+
YChz9+8g/LRacjI+PcHIZvfkcKz81z+hUPZO1RXs5eYUjraQ8G8ccDvIYG66STh5
a24jp0c1cyEtzelCLdjxkgCw81zbN64LKEE53hs2pjQ91aiIrZlZ3LUgtclVQ3aX
oOBk7jPDa/JI6oN1B5xl6eU0T1kLRlDXSIdT/lpcKP63Whd5MDU5Mtpd7gnwXZDL
oulCQnlz9jYPopF8gBrUr6AR57ZWYM4SdeXGc+6XnfxyntbTbliL5pm5jZiHrUpA
PZ4E4Lp2rZ99kU3iBrxT3ozqVfivAyAViY2hvnWCuhkpjiyyM5Ji5qSoLlAq27If
7ss5XkYTLFkT7XlXwQ4QeH1AvP0hAvBTxi8pStreqCAWghtBCM5WkdEmg7D2PQLY
ujBvjce7n/8N6sPx70oUDdmN9nKBuOmfBi9dv7vtvoFtAgMBAAE=
-----END PUBLIC KEY-----

private key;

-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAr/kIbUEgL9OQImLd+OYzlm/F6iUt0fyNlrf4ciGusahtKTAM
ctBPpFxUdNAniiR3sNcIpHvow8tCXbYNOP5+YChz9+8g/LRacjI+PcHIZvfkcKz8
1z+hUPZO1RXs5eYUjraQ8G8ccDvIYG66STh5a24jp0c1cyEtzelCLdjxkgCw81zb
N64LKEE53hs2pjQ91aiIrZlZ3LUgtclVQ3aXoOBk7jPDa/JI6oN1B5xl6eU0T1kL
RlDXSIdT/lpcKP63Whd5MDU5Mtpd7gnwXZDLoulCQnlz9jYPopF8gBrUr6AR57ZW
YM4SdeXGc+6XnfxyntbTbliL5pm5jZiHrUpAPZ4E4Lp2rZ99kU3iBrxT3ozqVfiv
AyAViY2hvnWCuhkpjiyyM5Ji5qSoLlAq27If7ss5XkYTLFkT7XlXwQ4QeH1AvP0h
AvBTxi8pStreqCAWghtBCM5WkdEmg7D2PQLYujBvjce7n/8N6sPx70oUDdmN9nKB
uOmfBi9dv7vtvoFtAgMBAAECggGAJsPAVHkFQyPi24BWD69+a8Rhn+vixSBSfII4
a8P5vM8yhOE9zMkQ0k84l6cHHspbx4wHLlzRcNhE3WnuTcDaTAp9SX/XD3QXfJKO
3YHjyLMRErU42Z39xl0MDqrOzfI6UxnqodyIMj0pLf0WcmzLapwPpJjuMFd9xJ9+
4aSpypT2ZhXtgL2JXavIuKHcDw7xFDEVMtDWV+VauFEKxFrKmjj0YvjqMsxjva2J
yUxtsvG37UbbUfkbA7I0EZMMPEen9HB/QPmoMOeBdyMZ2Fuu/AAECl3r7IEPpFKl
buIXZq5KvmGNrDL/+MGeAjl5sJNNkCijtyzwDNU7nExe9By+I9rmDHFB25GT341L
BwKBvMkRcCrL+e3/7ZJA4UbqXre5nBvy/m7q8g4d5Y2j9sGBPA/P+mQm1oqmh/SV
RXcB3DO89ER2QBsXBcQ0njrPZoh5DFHhb9PbvLrg8CJWEVdTtZO65r7kXC5xkBj5
P2ZIQkWsst6JHdPrLqF4aj53zqPNAoHBAOnMQVe+U72e+MubkfeTuVlwioQDYgyc
lkfe6K8fvaFAmnTPMrJ9T1nr7nud6BLxh/M8cdmokBwvWhLXsBuHMvUWls4ri7JX
2d/HkXrPw3fhxklcJFAzN5pSjO0xRGy4w40mR9jMm73qUvsRGY8ATWE5QkwJ1yeN
DHD9F6bejTZ2LkXyv10jhQkczC7m0E4P6kXxi1qPOrlKXb5fpAxBM/EzN87t7ZWG
Orh0rO4/91UMedKr/2lINOgQUIzOohEKUwKBwQDArwU/RwQyFeKGe+YTwUEtNNaO
SJBfATj/TPVaE7cO1uKy9tBO9RnuN2V1SIM/ReQ+OiaSPx0vPGKt+2OuR9yZCFhK
kaSxs38lIsF1v9SF5f11tMd42kk9X5oHudBwoGNh8H8hRMBr3GWybhWQ5vLHtplj
aTwYWNJeFx6a87bEK+YwBAGip8fKQq1bhAfNcu5RWqwy94gSpEvrAvDq0EWZq/pd
qghKOQdtEI/zls4/Ou4lz3tV+mB6tRVBIeyGTT8CgcAyXk3JgHh8Bo6lFsv4oXux
+BvvWuc5vlZl/3DzoYvx/IAKIEVUzMhWoAyN1zQTOLPIREJm2PjLCayHGK6ZD6R7
xrUQj7MV5fVLT6xY3//FiP91+ILeQFp/Rb+UriOGpLuEYjXiUBpRbPUZn9J4y2Dg
TDyrMweGPs3qXaxFx/Z2QDmx2h0+DJPxpaGbjSBdYPJgxSv3g5nsJ0hQ5jvqY/Wz
xgwE6Z9gsj1eVcyXu3ImgXyRVXq+DM9RG4qu+ylRMH8CgcEAkHOlz2aCMrpNdNz2
A+Fh524xW8Hy2gakoGElnz4ggrN+iQSX7lm58uj82wxduNXA4xXdTM6cJolywVQx
yrp9Gw0yg9TkT4Rt0X1Y49nIjgl6FwBMesHLHoPJifk31venCgmuhVZxm2tDopz8
9gDuCeNO40RFlUshiwByJWCIqFDw5RZb04FNOsj6Bh3Za6C6IauEZUFFdhROBgXS
b3dsdmSD8ixCwsI2WwGLqeZpAOZBG3+My0xFgDi5knbIR3cpAoHAdB+Vdo9JFur4
gez6TV4A16yJ6hunHt8kQPj77yJNErQ8phoLLXe/MTLkLJi7HfwRjULgTM3+XV7D
A/mEqi381KTl7ALkSVPsfhgm9lmlAE2E/RO2bAxIZ/LRgJxb8LrOj77Ljzqy7axD
62RBsPqC0oizjJAZj9GYuTjq51qw0N2VX3U710AuhFdlY8Ca3Pw0ejUvNmBBGJNL
buYmYCBpcvhUD2+i4VGRclu5+sx+xsR37zsn/WaYiDALqEtodgdZ
-----END RSA PRIVATE KEY-----

generated token for 30 days;

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJyaWdodHMiOlsicmVtb3ZlQ2l0eSIsInJlbW92ZUNvdW50cnkiLCJjb3VudHJpZXMiLCJjaXRpZXMiXSwidXNlcm5hbWUiOiJhZG1pbiIsInN1YiI6MSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMTAwIiwiaWF0IjoxNjc2NTMwMDA1LCJleHAiOjE2NzkxMjIwMDV9.hJgOTFDl1ggj1qyYT-nDU1j27zbHnYhO8HjWxHBwFHSG0tsadkabJ6LORc6PSqOaXDoFVVfKpbg0tm8nTz8axvr7eRCvStM-iU6nDBxKDZ-xMX_NhU9s61x1gWTNHjYmmjJ32uBP22ExK0JEhbMP1UH6q5oPvf43Zv1cv-jUNxkO1EVXgPQb81y4gruEuHTYVBmAMmGL1NeT7lBGm9Cd-Gd4lviSZj8H63ZSJo5vqNDeV5D8mT0KZzBWx68L6n0GKSZUzFPBoPIjjI5St3ExtOrcroKaAEzXq_oe56Yql1Atds-J4Ss0DniH320cQ7n-Yq-Z5DvjcGFGyQiM6fOD0Qg0VcVzsMUNxVtYyWcshx-G3hsVvR2GmDpeBrl63CGVW9GuV4zf7l0iTnBDHOymhIwgZQRP1TKFuCdAIKhOFjsAor9ZjHUh4T96uYMJW8ijVB0SIJFlWC2F-IBzlbCg0ygMs51Z2EVjHl4U-QgaInbabw7Je14aixqePjE7hRP2

eventually, access token is verified on jwt.io as shown;

as you see, issuer (iss) in the token is http://localhost:3100/.well-known/jwks.json

My router (1.10.3) config is below;

authentication:
  experimental:
    jwt:
      jwks_urls:
        - http://localhost:3100/.well-known/jwks.json
      header_name: Authorization
      header_value_prefix: Bearer
      cooldown: 15s

Using managed federation & eventually, I'm trying to run a query on apollo studio. However, always getting Could not create decode JWT: InvalidSignature

To Reproduce

• create an endpoint (http://localhost:3100/.well-known/jwks.json) that produces JWK set as explained above.
• generate RS256 JWT using supplied public & private keys above.
• run the router with config supplied above
• finally use the generated token in apollo studio to run a query

Expected behavior
token is supposed to be validated using supplied iss (http://localhost:3100) & query can be run in apollo studio

Output

{
  "errors": [
    {
      "message": "Could not create decode JWT: InvalidSignature",
      "extensions": {
        "code": "AUTH_ERROR"
      }
    }
  ]
}

Desktop (please complete the following information):

• OS: MacOS 12.5. M1
• node: v16.15.1
• Federation 2.1
• router 1.10.3

Additional context
Add any other context about the problem here.

[garypen]

Thank you for the detailed report. I tried reproducing and got the same problem.

So, we do seem to have some kind of problem. I dug into this a little further and used openssl to verify that your supplied public and private PEM file contents matched. Which they did. I then used a JWT command line tool to use your public PEM to validate the provided JWT and that worked fine.

So: It would appear that your JWT has been signed with the public/private key pair that you provided, but the contents of your JWKS file don't match the public/private key pair you used to sign the JWT.

At this point, I generated a JWK from the public key pem (search in google to find a site you trust or use a tool on your local machine)

And ended up with a key file that looked like this:

{
  "keys": [
    {
      "kty": "RSA",
      "n": "r_kIbUEgL9OQImLd-OYzlm_F6iUt0fyNlrf4ciGusahtKTAMctBPpFxUdNAniiR3sNcIpHvow8tCXbYNOP5-YChz9-8g_LRacjI-PcHIZvfkcKz81z-hUPZO1RXs5eYUjraQ8G8ccDvIYG66STh5a24jp0c1cyEtzelCLdjxkgCw81zbN64LKEE53hs2pjQ91aiIrZlZ3LUgtclVQ3aXoOBk7jPDa_JI6oN1B5xl6eU0T1kLRlDXSIdT_lpcKP63Whd5MDU5Mtpd7gnwXZDLoulCQnlz9jYPopF8gBrUr6AR57ZWYM4SdeXGc-6XnfxyntbTbliL5pm5jZiHrUpAPZ4E4Lp2rZ99kU3iBrxT3ozqVfivAyAViY2hvnWCuhkpjiyyM5Ji5qSoLlAq27If7ss5XkYTLFkT7XlXwQ4QeH1AvP0hAvBTxi8pStreqCAWghtBCM5WkdEmg7D2PQLYujBvjce7n_8N6sPx70oUDdmN9nKBuOmfBi9dv7vtvoFt",
      "e": "AQAB",
      "alg": "RS256",
      "use": "sig"
    }
  ]
}

Note: The value of n varies significantly from the value you provided...

I then used this key file with JWT and it was successfully verified. I'm going to close this as not an issue.

[killjoy2013]

thank you @garypen .
I did it the way you suggested. Works fine 😄
Actually, there's no use in creating jwk on the fly. Instread, I'm keeping a manually created one in config 👍