Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWS token verification failed.... even with HS256 set and no other token provider in Keycloak. #382

Open
strus38 opened this issue Oct 30, 2020 · 7 comments
Open

JWS token verification failed.... even with HS256 set and no other token provider in Keycloak. #382

strus38 opened this issue Oct 30, 2020 · 7 comments

Comments

@strus38
Copy link

strus38 commented Oct 30, 2020
edited
Loading

Hi

I am deploying Netbox on K8S and I am trying to add OIDC with keycloak to allow SSO on Netbox.
So I have done the necessary changes - I guess - but failing on JWT issue even of HS256 is the only token provider on Keycloak!
Error: JWS token verification failed.

OIDC_ALLOW_UNSECURED_JWT | True
OIDC_OP_AUTHORIZATION_ENDPOINT | 'https://keycloak.home.lab/auth/realms/master/protocol/openid-connect/auth'
OIDC_OP_JWKS_ENDPOINT | ''
OIDC_OP_TOKEN_ENDPOINT | '********************'
OIDC_OP_USER_ENDPOINT | 'https://keycloak.home.lab/auth/realms/master/protocol/openid-connect/userinfo'
OIDC_RP_CLIENT_ID | 'netbox'
OIDC_RP_CLIENT_SECRET | '********************'
OIDC_RP_IDP_SIGN_KEY | '********************'
OIDC_RP_SIGN_ALGO | 'HS256'
OIDC_VERIFY_JWT | False
OIDC_VERIFY_SSL | False

By the way: OIDC_VERIFY_JWT does not seem to to do anything!
Removing OIDC_OP_JWKS_ENDPOINT does not work either
@strus38 strus38 changed the title Could not find a suitable TLS CA certificate bundle, invalid path: false JWS token verification failed.... even with HS256 set and no other token provider in Keycloak. Oct 30, 2020
@strus38
Copy link
Author

strus38 commented Oct 31, 2020
edited
Loading

I also tries with RS256 algorithm, it is failing with: 'bytes' object has no attribute 'verifier'
However all seem correct:
In payload_data = self.get_payload_data(token, key)

key | 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkMajTF5JfM7+Bq3vuxo0b1uScGV2yuhcALhYng16GvkBpMi0HbiHbKlU6RVSLIDkJrSRg1zBhwkticiETKaxyRjhzyidumrhbHbKe6J//jlgD6W6x8GIeOOVclb1ioSPrcY/HF//6zq6V1hvL+MlSXS5FXau3ss2Pnh3QvOghwnYZsG7xGu9ZnfEoTuZMAbLMzsR7lnU4ZF74WxC9T9b5+gID5TddKY94j+lXpDEaUE3/jAy+cb1w0hfsYVXknxo/GCDcB2PmBkJbs9c7FiY2WbTL5Cgu5Deag9v6IJ1Yj5Nz6apv1+bGOqqTOnhGi62DcebKSUNTUCt8K+U5yYBaQIDAQAB\n'
-- | --
kwargs | {'nonce': 'TXYU8AXzWCKzAD2UHPpVxAfSIpNtdATW'}
nonce | 'TXYU8AXzWCKzAD2UHPpVxAfSIpNtdATW'
self | <mozilla_django_oidc.auth.OIDCAuthenticationBackend object at 0x7f96fc56e2d0>
token | (b'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJUb29seUZtX2dkaG15XzRaSzRF'  b'MGQ5bFRaUVdmbWpnWEJSUVRqMkRuZ2RzIn0.eyJleHAiOjE2MDQxMzg5OTMsImlhdCI6MTYwNDEz'  b'ODkzMywiYXV0aF90aW1lIjoxNjA0MTM4NzQ2LCJqdGkiOiJjODg0ZmY3Mi02NzM4LTQ1NzEtOWJl'  b'MS0xMTc1NmNkYzlkMDYiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLmhvbWUubGFiL2F1dGgvcmVh'  b'bG1zL21hc3RlciIsImF1ZCI6Im5ldGJveCIsInN1YiI6IjVhNmVmNWQ3LWI2YzktNDk1Yi05NjM5'  b'LTY0NmI3NTRkNGYwMCIsInR5cCI6IklEIiwiYXpwIjoibmV0Ym94Iiwibm9uY2UiOiJUWFlVOEFY'  b'eldDS3pBRDJVSFBwVnhBZlNJcE50ZEFUVyIsInNlc3Npb25fc3RhdGUiOiI3MDg4YTUzMC0wMTIw'  b'LTQ2ZTYtODNmNy0yOTg4YzYyYWY4YjgiLCJhY3IiOiIwIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNl'  b'LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJrZXljbG9hayJ9.aFGu1rXnTzDjX6JBmXJJsrsIftzGLIk'  b'ZxwktgXHCJ8SYD3qbMC0LnpZy_mvQcyCgl0pL4f9a_OrCsUWdn9CDWYrMYwn5drGCJ565uUMJZXw'  b'SiAjCU0BXmQA7Ggtpi03iJ5XYRpAjDJDSTj3Jpb7IFDohnI4R31nxnzGOoTtr1H6CQPrOUmiExfi'  b'PW9eyaNdeNhX1iO8iVffzBFplv69dywmSubmgc-_pgrCQl5CnzI2dotlW2iKZMPtUMhUfIrBTIri'  b'T-0_oPo2OAiu1x9I-bADnCg-UllfEYkD-82j87hq3iI_Pz3yH3VsOMVjm3O93CulXgJIfWVCi_g3'  b'nZR01Sg')

In return self._verify_jws(token, key) 

header | {'alg': 'RS256',  'kid': 'ToolyFm_gdhmy_4ZK4E0d9lTZQWfmjgXBRQTj2Dngds',  'typ': 'JWT'}
-- | --
key | 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkMajTF5JfM7+Bq3vuxo0b1uScGV2yuhcALhYng16GvkBpMi0HbiHbKlU6RVSLIDkJrSRg1zBhwkticiETKaxyRjhzyidumrhbHbKe6J//jlgD6W6x8GIeOOVclb1ioSPrcY/HF//6zq6V1hvL+MlSXS5FXau3ss2Pnh3QvOghwnYZsG7xGu9ZnfEoTuZMAbLMzsR7lnU4ZF74WxC9T9b5+gID5TddKY94j+lXpDEaUE3/jAy+cb1w0hfsYVXknxo/GCDcB2PmBkJbs9c7FiY2WbTL5Cgu5Deag9v6IJ1Yj5Nz6apv1+bGOqqTOnhGi62DcebKSUNTUCt8K+U5yYBaQIDAQAB\n'

If I take the token and the key, all seem perfect:
image

So what is happening??

@strus38
Copy link
Author

strus38 commented Oct 31, 2020

I could move forward by replacing the token key by the JWT endpoint ... but then fails with the other defect I opened.

@pedromendes96
Copy link

@strus38 any extra information why HS256 doesn't work?

@strus38
Copy link
Author

strus38 commented Nov 20, 2020 via email

@variable
Copy link

I was having the same problem with HS256, then I changed to RS256 and define the OIDC_OP_JWKS_ENDPOINT then it worked

OIDC_RP_SIGN_ALGO = 'RS256'
OIDC_OP_JWKS_ENDPOINT = 'https://keycloak-dev/auth/realms/test/protocol/openid-connect/certs'

@leuat
Copy link

leuat commented Jun 16, 2021

I'm having the same problem with HS256 (JWS token verification failed), but when changing to RS256 and define OIDC_OP_JWKS_ENDPOINT to ../certs, I get an json parser exception.. see #421

@melanger melanger mentioned this issue Sep 1, 2022
Closed
paulglx added a commit to paulglx/arbitre that referenced this issue Mar 22, 2023
@paulglx
Change OIDC signing algorithm (mozilla/mozilla-django-oidc#382 (comment)
931ff8d 
)
@JulienFS
Copy link

JulienFS commented Jul 30, 2024
edited
Loading

It might be a key format issue, see #505 (comment) (I had a similar issue and now have a working setup with keycloak).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@variable @leuat @strus38 @pedromendes96 @JulienFS