Oidc-client-js: No key matching kid found in signing keys

Created on 10 Feb 2017  路  9Comments  路  Source: IdentityModel/oidc-client-js

Hello,

I'm trying to sign in to an OIDC server based on MITREid Connect, however when I try to make a signinRedirect() using oidc-client-js, I get the error "No key matching kid found in signing keys".

I'm quite new to OIDC at the moment so I'm not sure if I'm missing some configuration. My sign in flow is written like this:

I've defined the UserManager globally like so:

var oidcSettings = {
  authority: 'http://<OIDC SERVER>/oidc',
  client_id: '<id defined in OIDC SERVER>',
  redirect_uri: 'http://localhost:3000/callback.html',
  post_logout_redirect_uri: 'http://localhost:3000/auth.html',
  response_type: 'id_token token',
  scope: 'openid profile email address phone'
};

var oidcMgr = new Oidc.UserManager(oidcSettings);

When the user clicks "Sign In", I simply do:

$('#button-signin').click(function() {
    oidcMgr.signinRedirect();
})

And send the user to callback.html, which does:

oidcMgr.signinRedirectCallback().then(function () {
    window.location = "index.html";
}).catch(function (e) {
    console.error(e);
    localStorage.setItem("sessionError", e);
});

And here I get the error I've mentioned.

What am I missing? Could I've missed some configuration on the OIDC server's side?

Thanks in advance for any help,
Best Regards

bug
Source
picture cornelius-agrippa

Most helpful comment

Ok, I pushed [email protected] to npm. Please try again.

picture brockallen on 10 Feb 2017
👍2

All 9 comments

Can you show an id_token and their metadata URL? Also, what version of the oidc-client are you using?

brockallen picture brockallen on 10 Feb 2017

Hello,

I was using an older version provided by bower package manager. I updated it to the latest release provided here, and the error message is a bit more detailed: Error: No key matching kid or alg found in signing keys.

One of the ID tokens was: eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiYkRxYktHMjZhZ1p4S2YxTXdsZ2FyQSIsInN1YiI6IjkwMzQyLkFTREZKV0ZBIiwiYXVkIjoiOGNmZDgxMWItZTczYy00NDliLTllZjEtNzk2MWMxYTk4YWUwIiwiYXV0aF90aW1lIjoxNDg2NzQ2ODI5LCJraWQiOiJyc2ExIiwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImV4cCI6MTQ4Njc0NzQ2MSwiaWF0IjoxNDg2NzQ2ODYxLCJub25jZSI6ImFjZDQxN2E4N2MwZjQzN2ZiOTYxMzRmNGU1MDU3MmU1IiwianRpIjoiMDVmY2MyZWEtNzc4Ni00N2JlLWI0MGItNjI2MTA0YWU4Zjc0In0.jMfUDmP_6qm3b60A-5le-klJgwlBv6YtVmIY2u41xqk4uJmnjlKWaTiq5UZavEMhupqTEm4Ru82BWdV9B8GrRlP4NbDQMm-pFULfSdLJQpxWHs-utx1QDp4CDSEJ9zFD5s6sAiXBEp9gy8WyCvpRbv9cl4c4p0MmFllIP1nziRyTrstjEmunsu2ckhJLM4_YZ_uQg_H5tP_8VOJlJ7s-oHPrF-sENCQwQy6-76xvRCCVZcA28hJM3e825e44C1lRjv0YQAwL7DmYedwzJLJQKgHHcKbOhcQq6mWdtjL_7jRPNwtnpO_DPba-3sFgdcG3BoSvcZrcsJyk2KvZTdYVLQ

Pardon my ignorance but what do you mean by metadata URL? When I inquire the http://(OIDC SERVER)/jwk endpoint (JSON Web Key Set (public key)), it returns:

{"keys":[{
    "kty":"RSA",
    "e":"AQAB",
    "kid":"rsa1",
    "alg":"RS256",
    "n":"qt6yOiI_wCoCVlGO0MySsez0VkSqhPvDl3rfabOslx35mYEO-n4ABfIT5Gn2zN-CeIcOZ5ugAXvIIRWv5H55-tzjFazi5IKkOIMCiz5__MtsdxKCqGlZu2zt-BLpqTOAPiflNPpM3RUAlxKAhnYEqNha6-allPnFQupnW_eTYoyuzuedT7dSp90ry0ZcQDimntXWeaSbrYKCj9Rr9W1jn2uTowUuXaScKXTCjAmJVnsD75JNzQfa8DweklTyWQF-Y5Ky039I0VIu-0CIGhXY48GAFe2EFb8VpNhf07DP63p138RWQ1d3KPEM9mYJVpQC68j3wzDQYSljpLf9by7TGw"
}]}

Is this what you mean?

What could be wrong? Is it not interpreting signing key algorithm, or is it using an unsupported one?

cornelius-agrippa picture cornelius-agrippa on 10 Feb 2017

Well, the id_token has a kid and that seems to match what's in the keys. Do you mind debugging thru the code to find where the validation seems to fail and decide the key doesn't match?

brockallen picture brockallen on 10 Feb 2017

Oh, I bet it's because there's no "use":"sig" in the keys... I've been meaning to fix that. I'll fix it and update npm. Please hold.

brockallen picture brockallen on 10 Feb 2017

Ok, I pushed [email protected] to npm. Please try again.

brockallen picture brockallen on 10 Feb 2017
👍2

Ah, indeed that fixed it! Thank you very much.

cornelius-agrippa picture cornelius-agrippa on 13 Feb 2017

I'm having an issue now. My OIDC server (Anvil Connect https://github.com/anvilresearch/connect) does not return a kid, but _does_ have a use key. It is choking on me as it can't figure out which key is for signing.

blocka picture blocka on 28 Apr 2017

@blocka open a new issue if you think there's the need to make a change here to accommodate your situation

brockallen picture brockallen on 28 Apr 2017

After switching from "Test" IdentityServer configuration to EF Core storage and ASP.NET Core Identity configuration, on my JS client, I'm getting this error ("No key matching kid or alg found in signing keys").

jwks endpoint returns:

{
  "keys":
  [
    {
      "kty": "RSA",
      "use": "sig",
      "kid": "ba583f56ce1a7a1e0a09236d7205fd78",
      "e": "AQAB",
      "n": "ykISgU8UZV4klvnBC_7jv8lcQyMdLxOOkV-73WueVb0MjBxTOfK0nYzBSs0-ouPC5gLtkC4TqL3kGGZQOIMV7AZV6G81BhRsA1y2Zy00NtlPRKwU7Y_VUGdH9aGtE4CwyVXmkENxKh8VpETsIaYuAjQdz75YQQoOjdVFyEeVoRMmaFzgx5wBinWpR4i8AKn554KW2vk6gIfcwUm18RimJiOA4lglbAJB-Ihw-zFzRzzbdVw90avvAPugqDA2pWKEeyl6CQVied7fIGUldCIkstMzZPM-Yg1a_GQOvtOZb1mVN_Y3QUJGmL9uRGVIwiILRbDYc0Q9JJPMgM2pI2tb3Q"
    }
  ]
}
tomshane picture tomshane on 2 May 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wsimf picture wsimf  路  4Comments
slug56 picture slug56  路  4Comments
shesellsanctuary picture shesellsanctuary  路  4Comments
baoduy picture baoduy  路  4Comments
pawepaw picture pawepaw  路  3Comments