How to validate access token? {:error, {:no_matching_key_with_kid, ...}}

[1player]

I want to validate an access token I receive in a request, but it fails with {:error, {:no_matching_key_with_kid, ...}} even though I can see the kid in the provider configuration.

Example:

{:ok, client_context} = Oidcc.ClientContext.from_configuration_worker(Gateway.OidccConfigProvider, "client-id", "client-secret") 
Oidcc.Token.validate_jwt(access_token, client_context, %{
  signing_algs:
    client_context.provider_configuration.token_endpoint_auth_signing_alg_values_supported
})
# Fails with {:error,
 {:no_matching_key_with_kid, "zgeOJ-OVB1Ewd6M5nSDjftW7uXjJkxq17dWaPo7z420"}}

Yet when I inspect the JWK set in the configuration with Oidcc.ProviderConfiguration.Worker.get_jwks(Gateway.OidccConfigProvider), that kid is present in the list:

#JOSE.JWK<
  keys: {:jose_jwk_set,
   [
     {:jose_jwk, :undefined,
      {:jose_jwk_kty_rsa,
       {:RSAPublicKey, snip, 65537}},
      %{
        "alg" => "RS256",
        "kid" => "zgeOJ-OVB1Ewd6M5nSDjftW7uXjJkxq17dWaPo7z420",
        "use" => "sig",
        "x5c" => ["snip"],
        "x5t" => "91MQNZV0Z1N-6TyBShUyUl1rrzo",
        "x5t#S256" => "Cr5db1sZskJFmCiQdcwsgU4CFZ5v6ZY5ueF2FfvEv10"
      }}
   ]},

Why is it failing, what am I missing?

Basically I'd like to replicate the flow described at https://stackoverflow.com/a/71183948

[maennchen]

Hm, the verification code is a bit unclear here since the errors aren't handled nicely by our JWT library.

Can you add some debug statements to the following lines so that we can see with what reason it is failing?

oidcc/src/oidcc_jwt_util.erl

Line 355 in ef11cc3

{error, {no_matching_key_with_kid, Kid}}

Something like this:

error:Reason ->
  erlang:display(Reason),
  {error, {no_matching_key_with_kid, Kid}}

[1player]

OK, I have added debugging statements following your instructions.

To recap, the token is signed with kid zgeOJ-OVB1Ewd6M5nSDjftW7uXjJkxq17dWaPo7z420, and the JWK set contains two keys, in the following order: 8Djc_h2SS8fTlrn1eXq2FfxCIxLAckCo6vMmJEBn6r4 and zgeOJ-OVB1Ewd6M5nSDjftW7uXjJkxq17dWaPo7z420.

The first comparison with key 8Djc_etc in validate_signature/3 fails and returns {error, {no_matching_key_with_kid, <<"zgeOJ-OVB1Ewd6M5nSDjftW7uXjJkxq17dWaPo7z420">>}}, then the second key is tested, and this fails on line 105 with {error, no_matching_key}.

Which means that jose_jwt:verify_strict(Jwks, AllowAlgorithms, Token) is returning the following value:

  {false, 
   {jose_jwt,#{<<"auth_time">>=>1732622979,<<"azp">>=><<"s3gateway-public">>,<<"exp">>=>1732623279,<<"iat">>=>1732622979,<<"iss">>=><<"redacted">>,<<"jti">>=><<"a8efe2b9-9053-4a97-893d-fb93861a9672">>,<<"preferred_username">>=><<"redacted">>,<<"scope">>=><<"openid">>,<<"session_state">>=><<"eb14150b-a18d-4490-bc68-dbe98c2e6952">>,<<"sid">>=><<"eb14150b-a18d-4490-bc68-dbe98c2e6952">>,<<"sub">>=><<"9dac5c18-afde-4ebb-a7ed-3c3fafdfdab3">>,<<"typ">>=><<"Bearer">>}},
 #{<<"alg">>=><<"RS256">>,<<"kid">>=><<"zgeOJ-OVB1Ewd6M5nSDjftW7uXjJkxq17dWaPo7z420">>,<<"typ">>=><<"JWT">>}
 }

Any insight on why this verify_strict call is failing?

[maennchen]

@1player Thanks for the details. Do you know what is set in the AllowAlgorithms?

[1player]

Well this is embarassing. It is empty. After numerous tests, I forgot to set the signing_algs option to validate_jwt in my test case. Now that it is set as shown in the documentation, that validate_signature call works as expected.

Though validate_jwt still fails because the access token I'm given doesn't have any aud claim (

oidcc/src/oidcc_token.erl

Line 1013 in 08db6c6

ok ?= verify_aud_claim(Claims, ClientId, TrustedAudience),

) and I'm trying to figure out why Keycloak doesn't include that claim in the access token without wasting any more of your time.

Thanks for the patience.

[maennchen]

@1player Awesome that you found it! I’m still happy that you reported it. The errors you were getting in this case are wrong.

I’ll open an issue to improve that.