JWT Token is always invalid #49

vcastro45 · 2020-01-27T09:40:03Z

Hello,
I use this Bundle to check a JWS sent by my own KeyCloak.
The app workflow can be described like this:

the VueJS webapp get the token from KeyCloak using the oidc-client-js package (Certified package by OpendID Connect)
the VueJS webapp send a GET request to my Symfony 4.4 using the token and the Bearer authentication
Symfony responds with 401 - Invalid JWT Token

Using a debugger, I found that the exception is thrown by Lexik-Jose-bridge when checking the Token signature (verifySignature in JWSVerifier returns false because of $algorithm->verify())

For exemple, the config looks like this:

#.env File

###> spomky-labs/lexik-jose-bridge ###
SL_JOSE_BRIDGE_SERVER_NAME=http://keycloak.biometrie.test/auth/realms/Biometrie
SL_JOSE_BRIDGE_SIGNATURE_KEYSET='{"keys":[{"kid":"R0ziM07whcBe1-UcHvimwf1WZQLei3WszfaErj50kVc","kty":"RSA","alg":"RS256","use":"sig","n":"lhqyXCOxPLGHO4TgiJ0SByoCRBUUSFnn6EiBFOpbQPNtuDpAri_IjP3s_S3lL77pHjorTa4EYXNBK-b0bXsNSx6vOzZF04lDc0n-O8O47kBeB1GUm_-pGcn_kWZKHxOKnkhjBlyT2EP2l_Ps_Nzqn4cjocPDqUu61DLpu5AOh-R6kHKGKzkvxAXoi3bQEfpijP0QvHtMH51CTvVmVHPyK8w_fGggH8pXefrw2SOroTd7UbatHNFPpjvER_AmRJQQdF15mL-U4slPo6AxahTiLE6aARpPVuopFVuSgGvImNtzEIxhZAV4agAqKMuNPG_-1LwUVx8Vcg5pCIIY64G1Fw","e":"AQAB","x5c":["MIICmzCCAYMCBgFv5kao7TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAwMTI3MDkxMTI4WhcNMzAwMTI3MDkxMzA4WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWGrJcI7E8sYc7hOCInRIHKgJEFRRIWefoSIEU6ltA8224OkCuL8iM/ez9LeUvvukeOitNrgRhc0Er5vRtew1LHq87NkXTiUNzSf47w7juQF4HUZSb/6kZyf+RZkofE4qeSGMGXJPYQ/aX8+z83OqfhyOhw8OpS7rUMum7kA6H5HqQcoYrOS/EBeiLdtAR+mKM/RC8e0wfnUJO9WZUc/IrzD98aCAfyld5+vDZI6uhN3tRtq0c0U+mO8RH8CZElBB0XXmYv5TiyU+joDFqFOIsTpoBGk9W6ikVW5KAa8iY23MQjGFkBXhqACooy408b/7UvBRXHxVyDmkIghjrgbUXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGoGSh7NLsDUJI/VLAh/GKJL8KdNE/vRT5ix4eVMBj30A62G9e6IxcqNEf+gxsy/WpavPm8dj5KE9LWWJhXq4bqEr2y3E27feYgCjDFZJV5Qbka8I/c1pHxh/y0MI5aa807F6lneYQWottx4vkthqaqM8YA3lWyqINYwy3oZ5pZRCu8U+a0Ijb/A/wFumcw+DWA4zR0Ukn0AGGwLo+UllekHEYPN8YaOtpPTT9db0ecTKEGvJXQCO8LAuvGyOqtdJGBU2EUShfeJYlcJWY2iuuEki6NM54UWRpCfRD8lbfY4qJAMI5pS450Tt4dr5ueavA1zZQ/gDA8v78G/yj0KbP8="],"x5t":"WACX0jnZYYIHH2GbPX1GMdzOy4o","x5t#S256":"B6bMYytBGjflssF_cL0zMIUYIx699Lq72Q8qj8s6sxo"}]}'
###< spomky-labs/lexik-jose-bridge ###

#spomky_labs_lexik_jose_bridge_bundle.yaml
lexik_jose:
    ttl: 3600
    server_name: '%env(SL_JOSE_BRIDGE_SERVER_NAME)%'
    audience: 'account'
    key_set: '%env(SL_JOSE_BRIDGE_SIGNATURE_KEYSET)%'
    key_index: 0
    signature_algorithm: "RS256"
    mandatory_claims:
        - 'aud'

Example of a token to be verified by the bundle:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJfMlE5aW9EM1RtWXBHR19FNVBRQ3JfU0VYNEoxVEFTWmZKczZrZTJ5eFpFIn0.eyJqdGkiOiJmZWVkMDg0Ni0yNDc5LTQ4NWQtYmY1ZC0yYzFhZjQ0ZmJiNzYiLCJleHAiOjE1ODAxMTY4ODksIm5iZiI6MCwiaWF0IjoxNTgwMTE2NTg5LCJpc3MiOiJodHRwOi8va2V5Y2xvYWsuYmlvbWV0cmllLnRlc3QvYXV0aC9yZWFsbXMvQmlvbWV0cmllIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImE5NTVmNDNiLTBhOTEtNDU0NS1hOWY2LWU5NjYxZGYzNTkwYyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImJpb21ldHJpZV9jbGllbnQiLCJhdXRoX3RpbWUiOjE1ODAxMTY1ODgsInNlc3Npb25fc3RhdGUiOiIxN2RjYWM3OS1iMjk0LTQ4ZjgtOGY3NS1lZjM4NTM4OThjMzEiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9iaW9tZXRyaWUudGVzdCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImJpb21ldHJpZV9jbGllbnQiOnsicm9sZXMiOlsiUk9MRV9BRE1JTiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiVmljdG9yIENhc3Ryby1DSW50YXMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ2Y2FzdHJvIiwiZ2l2ZW5fbmFtZSI6IlZpY3RvciIsImZhbWlseV9uYW1lIjoiQ2FzdHJvLUNJbnRhcyIsImVtYWlsIjoidmljdG9yLmNhc3Ryby5jaW50YXNAZ21haWwuY29tIn0.eKjzIPQyxphLuNI5ooEf_u5ReQFAb4t372tBKUwFofYUXxB8JAZ2fyxI3OKGi2jxO8zIjdJM7t8Viin6i9Q1uOWMAgLRUW1SzpcWeQ_9oZVLwjawtquVL2LqxWDQHO1tj9tm4sBjK0SEqaA1l-Q0Zmtt-YKHB_1i7d_u-K2RrciNXMxnTpTqPd5OMN0_xNRV3BKdQqfs2veKFsCRNdq6mXeKrxk6W7GUsI5He6MdJ1R6eGnMlGFhLkiePaUSSYr0K1xehuFr5BawA-1BNeCfPhKwsn95rhWGD5b9WmPNmoV9K6gzmJ4MplzYWL2u0PudPF0SJVDMaMSkxUf4pe0SDA

The text was updated successfully, but these errors were encountered:

Spomky · 2020-01-27T09:47:12Z

Hi @vcastro45,

I will investigate to understand what is going on.
Some users have also issues with the RS* algorithms (see web-token/jwt-framework#238) because of OpenSSL and missing GMP extension.
Can you make sure the GMP extension is correctly installed on your platform. This may be the reason for that issue.

Regards.

Spomky · 2020-01-27T09:52:58Z

By the way, I see that the key ID in the keyset is R0ziM07whcBe1-UcHvimwf1WZQLei3WszfaErj50kVc, but the token you provide is signed by _2Q9ioD3TmYpGG_E5PQCr_SEX4J1TASZfJs6ke2yxZE

Could you please add the missing public key in the keyset and check it again?

vcastro45 · 2020-01-27T10:42:36Z

Hi @Spomky and thanks for your reactivity.
The GMP extension is installed and is even required by the bundle when installing using Composer.

According to the point you raised, yes the kid wasn't good.
The default signature keyset provided by keycloak seems to be the one of the "master" realm and I am using a custom realm so I have to edit the URL...

Spomky · 2020-01-30T09:26:50Z

Thank you for letting me know.
BR.

Spomky self-assigned this Jan 27, 2020

vcastro45 closed this as completed Jan 27, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JWT Token is always invalid #49

JWT Token is always invalid #49

vcastro45 commented Jan 27, 2020

Spomky commented Jan 27, 2020

Spomky commented Jan 27, 2020

vcastro45 commented Jan 27, 2020

Spomky commented Jan 30, 2020

JWT Token is always invalid #49

JWT Token is always invalid #49

Comments

vcastro45 commented Jan 27, 2020

Spomky commented Jan 27, 2020

Spomky commented Jan 27, 2020

vcastro45 commented Jan 27, 2020

Spomky commented Jan 30, 2020