Invalid header in ID Token

  • Maciej Wiśniowski
    Participant
    # 7 months ago

    Hello

    I’m evaluating miniOrange for the Oauth2 + OpenId Connect. I’ve configured miniOrange as IdP and used OAuth endpoints to authenticate but it seems that IdToken received has invalid header signature. It seems to be always: {‘kid’: ‘1’, ‘typ’: ‘JWT’, ‘alg’: ‘RS256’}

    I call the authorize endpointwith using the URL like (tried with/without opened scope – no difference):

    https://login.xecurify.com/moas/idp/openidsso?response_type=code&client_id=<myclientid>&redirect_uri=https%3A%2F%2Fmydomain.local%2Fcallback&scope=openid+profile+email&state=9W4yISyqzaDyS0XSffOKrHs8Dps3wV

    I receive a grant code and then (after the /token endpoint call) valid access token (works with userinfo endpoint) and idtoken, containing user data, but the header has always kid: 1 which makes it impossible to validate token against JDK: https://login.xecurify.com/moas/.well-known/jwks

    The same issue seems to be with the sample provided in miniOrange docs:
    https://developers.miniorange.com/docs/idp/api/openid-api-guide

    The sample token in the docs is: “id_token”:”eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXByIDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDtramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5tNmjoWrEK4NzR1fWYXRmL5eyu51o”

    When decoded using eg. https://www.jsonwebtoken.io/ it also shows the header as {
    “typ”: “JWT”,
    “alg”: “RS256”,
    “kid”: “1”
    }

    What is wrong with that?

    Kalpesh
    Keymaster
    # 6 months, 3 weeks ago

    Hi Maciej,

    This possibly looks like an issue with the setup and probably wrong RSA key is configured in the plugin which is causing invalid signature issue.

    Can you please email us screenshots of your configuration?

    We can also schedule a screen sharing session for the same.

    Charles Masson
    Participant
    # 1 week ago

    Hello,

    I have the exact same issue.
    I made my app compatible with both SAML and OIDC.
    No issues with SAML so far but for OIDC, the ‘kid’ from the header is always 1, just like Maciej said.

    Kalpesh, What “plugin” are you talking about ?
    Any way to fix this issue soon ?

    Seems like a bug with miniOrange as an IdP provider since I had no similar issues with any other IdP (Tested on 3 IdP so far).

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.