JWT Token is always invalid

Question

JWT Token is always invalid

vcastro45 opened this issue 5 years ago · comments

Victor Castro-Cintas commented 5 years ago

Hello,
I use this Bundle to check a JWS sent by my own KeyCloak.
The app workflow can be described like this:

the VueJS webapp get the token from KeyCloak using the oidc-client-js package (Certified package by OpendID Connect)
the VueJS webapp send a GET request to my Symfony 4.4 using the token and the Bearer authentication
Symfony responds with 401 - Invalid JWT Token

Using a debugger, I found that the exception is thrown by Lexik-Jose-bridge when checking the Token signature (verifySignature in JWSVerifier returns false because of $algorithm->verify())

For exemple, the config looks like this:

#.env File

###> spomky-labs/lexik-jose-bridge ###
SL_JOSE_BRIDGE_SERVER_NAME=http://keycloak.biometrie.test/auth/realms/Biometrie
SL_JOSE_BRIDGE_SIGNATURE_KEYSET='{"keys":[{"kid":"R0ziM07whcBe1-UcHvimwf1WZQLei3WszfaErj50kVc","kty":"RSA","alg":"RS256","use":"sig","n":"lhqyXCOxPLGHO4TgiJ0SByoCRBUUSFnn6EiBFOpbQPNtuDpAri_IjP3s_S3lL77pHjorTa4EYXNBK-b0bXsNSx6vOzZF04lDc0n-O8O47kBeB1GUm_-pGcn_kWZKHxOKnkhjBlyT2EP2l_Ps_Nzqn4cjocPDqUu61DLpu5AOh-R6kHKGKzkvxAXoi3bQEfpijP0QvHtMH51CTvVmVHPyK8w_fGggH8pXefrw2SOroTd7UbatHNFPpjvER_AmRJQQdF15mL-U4slPo6AxahTiLE6aARpPVuopFVuSgGvImNtzEIxhZAV4agAqKMuNPG_-1LwUVx8Vcg5pCIIY64G1Fw","e":"AQAB","x5c":["MIICmzCCAYMCBgFv5kao7TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAwMTI3MDkxMTI4WhcNMzAwMTI3MDkxMzA4WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWGrJcI7E8sYc7hOCInRIHKgJEFRRIWefoSIEU6ltA8224OkCuL8iM/ez9LeUvvukeOitNrgRhc0Er5vRtew1LHq87NkXTiUNzSf47w7juQF4HUZSb/6kZyf+RZkofE4qeSGMGXJPYQ/aX8+z83OqfhyOhw8OpS7rUMum7kA6H5HqQcoYrOS/EBeiLdtAR+mKM/RC8e0wfnUJO9WZUc/IrzD98aCAfyld5+vDZI6uhN3tRtq0c0U+mO8RH8CZElBB0XXmYv5TiyU+joDFqFOIsTpoBGk9W6ikVW5KAa8iY23MQjGFkBXhqACooy408b/7UvBRXHxVyDmkIghjrgbUXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGoGSh7NLsDUJI/VLAh/GKJL8KdNE/vRT5ix4eVMBj30A62G9e6IxcqNEf+gxsy/WpavPm8dj5KE9LWWJhXq4bqEr2y3E27feYgCjDFZJV5Qbka8I/c1pHxh/y0MI5aa807F6lneYQWottx4vkthqaqM8YA3lWyqINYwy3oZ5pZRCu8U+a0Ijb/A/wFumcw+DWA4zR0Ukn0AGGwLo+UllekHEYPN8YaOtpPTT9db0ecTKEGvJXQCO8LAuvGyOqtdJGBU2EUShfeJYlcJWY2iuuEki6NM54UWRpCfRD8lbfY4qJAMI5pS450Tt4dr5ueavA1zZQ/gDA8v78G/yj0KbP8="],"x5t":"WACX0jnZYYIHH2GbPX1GMdzOy4o","x5t#S256":"B6bMYytBGjflssF_cL0zMIUYIx699Lq72Q8qj8s6sxo"}]}'
###< spomky-labs/lexik-jose-bridge ###

#spomky_labs_lexik_jose_bridge_bundle.yaml
lexik_jose:
    ttl: 3600
    server_name: '%env(SL_JOSE_BRIDGE_SERVER_NAME)%'
    audience: 'account'
    key_set: '%env(SL_JOSE_BRIDGE_SIGNATURE_KEYSET)%'
    key_index: 0
    signature_algorithm: "RS256"
    mandatory_claims:
        - 'aud'

Example of a token to be verified by the bundle:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJfMlE5aW9EM1RtWXBHR19FNVBRQ3JfU0VYNEoxVEFTWmZKczZrZTJ5eFpFIn0.eyJqdGkiOiJmZWVkMDg0Ni0yNDc5LTQ4NWQtYmY1ZC0yYzFhZjQ0ZmJiNzYiLCJleHAiOjE1ODAxMTY4ODksIm5iZiI6MCwiaWF0IjoxNTgwMTE2NTg5LCJpc3MiOiJodHRwOi8va2V5Y2xvYWsuYmlvbWV0cmllLnRlc3QvYXV0aC9yZWFsbXMvQmlvbWV0cmllIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImE5NTVmNDNiLTBhOTEtNDU0NS1hOWY2LWU5NjYxZGYzNTkwYyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImJpb21ldHJpZV9jbGllbnQiLCJhdXRoX3RpbWUiOjE1ODAxMTY1ODgsInNlc3Npb25fc3RhdGUiOiIxN2RjYWM3OS1iMjk0LTQ4ZjgtOGY3NS1lZjM4NTM4OThjMzEiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9iaW9tZXRyaWUudGVzdCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImJpb21ldHJpZV9jbGllbnQiOnsicm9sZXMiOlsiUk9MRV9BRE1JTiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiVmljdG9yIENhc3Ryby1DSW50YXMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ2Y2FzdHJvIiwiZ2l2ZW5fbmFtZSI6IlZpY3RvciIsImZhbWlseV9uYW1lIjoiQ2FzdHJvLUNJbnRhcyIsImVtYWlsIjoidmljdG9yLmNhc3Ryby5jaW50YXNAZ21haWwuY29tIn0.eKjzIPQyxphLuNI5ooEf_u5ReQFAb4t372tBKUwFofYUXxB8JAZ2fyxI3OKGi2jxO8zIjdJM7t8Viin6i9Q1uOWMAgLRUW1SzpcWeQ_9oZVLwjawtquVL2LqxWDQHO1tj9tm4sBjK0SEqaA1l-Q0Zmtt-YKHB_1i7d_u-K2RrciNXMxnTpTqPd5OMN0_xNRV3BKdQqfs2veKFsCRNdq6mXeKrxk6W7GUsI5He6MdJ1R6eGnMlGFhLkiePaUSSYr0K1xehuFr5BawA-1BNeCfPhKwsn95rhWGD5b9WmPNmoV9K6gzmJ4MplzYWL2u0PudPF0SJVDMaMSkxUf4pe0SDA

Florent Morselli · Answer 1 · Mon Jan 27 2020 17:47:12 GMT+0800 (China Standard Time)

Hi @vcastro45,

I will investigate to understand what is going on.
Some users have also issues with the RS* algorithms (see web-token/jwt-framework#238) because of OpenSSL and missing GMP extension.
Can you make sure the GMP extension is correctly installed on your platform. This may be the reason for that issue.

Regards.

Florent Morselli · Answer 2 · Mon Jan 27 2020 17:52:58 GMT+0800 (China Standard Time)

By the way, I see that the key ID in the keyset is R0ziM07whcBe1-UcHvimwf1WZQLei3WszfaErj50kVc, but the token you provide is signed by _2Q9ioD3TmYpGG_E5PQCr_SEX4J1TASZfJs6ke2yxZE

Could you please add the missing public key in the keyset and check it again?

Victor Castro-Cintas · Answer 3 · Mon Jan 27 2020 18:42:36 GMT+0800 (China Standard Time)

Hi @Spomky and thanks for your reactivity.
The GMP extension is installed and is even required by the bundle when installing using Composer.

According to the point you raised, yes the kid wasn't good.
The default signature keyset provided by keycloak seems to be the one of the "master" realm and I am using a custom realm so I have to edit the URL...

Florent Morselli · Answer 4 · Thu Jan 30 2020 17:26:50 GMT+0800 (China Standard Time)

Thank you for letting me know.
BR.