Invalid header in ID Token

  • Maciej Wiśniowski
    Participant
    # 3 months, 2 weeks ago

    Hello

    I’m evaluating miniOrange for the Oauth2 + OpenId Connect. I’ve configured miniOrange as IdP and used OAuth endpoints to authenticate but it seems that IdToken received has invalid header signature. It seems to be always: {‘kid’: ‘1’, ‘typ’: ‘JWT’, ‘alg’: ‘RS256’}

    I call the authorize endpointwith using the URL like (tried with/without opened scope – no difference):

    https://login.xecurify.com/moas/idp/openidsso?response_type=code&client_id=<myclientid>&redirect_uri=https%3A%2F%2Fmydomain.local%2Fcallback&scope=openid+profile+email&state=9W4yISyqzaDyS0XSffOKrHs8Dps3wV

    I receive a grant code and then (after the /token endpoint call) valid access token (works with userinfo endpoint) and idtoken, containing user data, but the header has always kid: 1 which makes it impossible to validate token against JDK: https://login.xecurify.com/moas/.well-known/jwks

    The same issue seems to be with the sample provided in miniOrange docs:
    https://developers.miniorange.com/docs/idp/api/openid-api-guide

    The sample token in the docs is: “id_token”:”eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXByIDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDtramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5tNmjoWrEK4NzR1fWYXRmL5eyu51o”

    When decoded using eg. https://www.jsonwebtoken.io/ it also shows the header as {
    “typ”: “JWT”,
    “alg”: “RS256”,
    “kid”: “1”
    }

    What is wrong with that?

    Kalpesh
    Keymaster
    # 3 months, 1 week ago

    Hi Maciej,

    This possibly looks like an issue with the setup and probably wrong RSA key is configured in the plugin which is causing invalid signature issue.

    Can you please email us screenshots of your configuration?

    We can also schedule a screen sharing session for the same.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.