quarkus: OIDC - org.jose4j.lang.UnresolvableKeyException: JWK is not available during verification of the token issued to client
Describe the bug
I’m having issue migration to a new oidc provider (a private one).
I’m getting this error :
2023-03-09 14:03:19,930 ERROR [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-2) ID token verification has failed: null
2023-03-09 14:03:19,931 DEBUG [io.qua.ver.htt.run.sec.HttpSecurityRecorder] (vert.x-eventloop-thread-2) Authentication has failed, returning HTTP status 401
In debug, i see the following error that might be the cause :
2023-03-09 14:03:19,850 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-2) Verifying the JWT token with the local JWK keys
2023-03-09 14:03:19,861 DEBUG [io.qua.oid.run.OidcProvider] (vert.x-eventloop-thread-2) Verification of the token issued to client rp-di-application-gin has failed: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: JWK is not available, neither 'kid' nor 'x5t' token headers are set): JsonWebSignature{"typ":"JWT","alg":"HS512"}->...
Expected behavior
I should authenticate with success.
Actual behavior
I’m getting this error :
2023-03-09 14:03:19,930 ERROR [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-2) ID token verification has failed: null
2023-03-09 14:03:19,931 DEBUG [io.qua.ver.htt.run.sec.HttpSecurityRecorder] (vert.x-eventloop-thread-2) Authentication has failed, returning HTTP status 401
In debug, i see the following error that might be the cause :
2023-03-09 14:03:19,850 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-2) Verifying the JWT token with the local JWK keys
2023-03-09 14:03:19,861 DEBUG [io.qua.oid.run.OidcProvider] (vert.x-eventloop-thread-2) Verification of the token issued to client rp-di-application-gin has failed: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: JWK is not available, neither 'kid' nor 'x5t' token headers are set): JsonWebSignature{"typ":"JWT","alg":"HS512"}->...
How to Reproduce?
Since I’m connecting to a private, I guess it’s not possible to reproducer.
Here is anyway my configuration :
...
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.redirect-path=/callback
quarkus.oidc.authentication.restore-path-after-redirect=true
quarkus.oidc.authentication.user-info-required=true
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
quarkus.http.auth.permission.public.paths=/api/environments/cicd
quarkus.http.auth.permission.public.policy=permit
quarkus.oidc.authentication.session-age-extension=P1D
quarkus.oidc.token.refresh-expired=true
quarkus.oidc.authentication.java-script-auto-redirect=false
# required workaround for quarkus 2.16.0
quarkus.oidc.authentication.cookie-same-site=lax
Output of uname -a or ver
Linux linux-dev 5.4.0-144-generic #161-Ubuntu SMP Fri Feb 3 14:49:04 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Output of java -version
openjdk version “11.0.12” 2021-07-20 OpenJDK Runtime Environment 18.9 (build 11.0.12+7) OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7, mixed mode)
GraalVM version (if different from Java)
non
Quarkus version or git rev
2.8.0.Final
Build tool (ie. output of mvnw --version or gradlew --version)
Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Additional information
No response
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 18 (11 by maintainers)
@sberyozkin thanks for your help, I’m going to check with the team in charge