[Openid-specs-ab] Issue #180: Got "No key with kid: 2AAD3DAF" but key is in JWKS (openid/certification)
Jan Singer
issues-reply at bitbucket.org
Fri Oct 16 10:04:35 UTC 2015
New issue 180: Got "No key with kid: 2AAD3DAF" but key is in JWKS
https://bitbucket.org/openid/certification/issues/180/got-no-key-with-kid-2aad3daf-but-key-is-in
Jan Singer:
Although the key with the kid "2AAD3DAF" is in JWKS, I get an error that it is not:
```
#!text
Test info
Profile: {'openid-configuration': 'config', 'response_type': 'id_token', 'crypto': 'none', 'registration': 'static'}
Timestamp: 2015-10-16T09:54:27Z
Test description: Does the OP sign the ID Token and with what [Basic, Implicit, Hybrid]
Test ID: OP-IDToken-Signature
Issuer: https://singertc-prod.apigee.net/common/oidc
Test output
__AuthorizationRequest:pre__
[check-response-type]
status: OK
description: Checks that the asked for response type are among the supported
[check-endpoint]
status: OK
description: Checks that the necessary endpoint exists at a server
[-]
status: WARNING
info: No key with kid: 2AAD3DAF
Trace output
0.000293 ------------ DiscoveryRequest ------------
0.000306 Provider info discover from 'https://singertc-prod.apigee.net/common/oidc'
0.000312 --> URL: https://singertc-prod.apigee.net/common/oidc/.well-known/openid-configuration
0.134320 ProviderConfigurationResponse: {
"authorization_endpoint": "https://singertc-prod.apigee.net/common/oidc/authorize",
"claims_parameter_supported": false,
"grant_types_supported": [
"password",
"authorization_code",
"client_credentials",
"refresh_token"
],
"id_token_signing_alg_values_supported": [
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512",
"HS256",
"HS384",
"HS512"
],
"issuer": "https://singertc-prod.apigee.net/common/oidc",
"jwks_uri": "https://singertc-prod.apigee.net/common/oidc/jwks.json",
"request_parameter_supported": false,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_types_supported": [
"code",
"code id_token",
"id_token",
"token id_token"
],
"subject_types_supported": [
"public"
],
"token_endpoint": "https://singertc-prod.apigee.net/common/oidc/token",
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"userinfo_endpoint": "https://singertc-prod.apigee.net/common/oidc/userinfo",
"version": "3.0"
}
0.193509 JWKS: {
"keys": [
{
"e": "AQAB",
"kid": "2AAD3DAF",
"kty": "RSA",
"n": "iHulgJLFDr6X-ocyivlOTH6Dhf-ioiuGs1FqjDZHbcVR6CbAq7PNRYZ2zdV6K8o3vrNvcHClkT_CukccjpHieE9grkVMFTZUSRLZ-qCOSg5r_PEBZvZCu0Nw28aNeExlpySvpqlvKsXTlSlyjvlOzr1NG2FjhKLf_mECrTtgzz12zWH-QXje2yareOfEka8qkojqCnBL7Y1yGIOAddHCs9NjDyQhubW7oJqKah8PbHRCXlw87b7_yOWduKGvWhrRZ2vlkQc70kefIUG-44BVQQ5YtHl-C3UpvXikxCIXpAoL4xjBVfgu3X5PN-7p4pdK65A4XKqe20bhOGdaJh2KYw",
"use": "sig"
}
]
}
0.195099 ------------ AuthorizationRequest ------------
0.195527 --> URL: https://singertc-prod.apigee.net/common/oidc/authorize?nonce=tyEaASYlv90u&state=8LPkXiqyx8gFreIa&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60330%2Fauthz_cb&response_type=id_token&client_id=j01OdGJazXcyZTrFRJxETYUGOGTbJL1c&scope=openid
0.195534 --> BODY: None
0.581689 QUERY_STRING:
1.855353 <-- state=8LPkXiqyx8gFreIa&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjJBQUQzREFGIn0.eyJpc3MiOiJodHRwOi8vc2luZ2VydGMtcHJvZC5hcGlnZWUubmV0L2NvbW1vbi9vaWRjIiwiYXVkIjoiajAxT2RHSmF6WGN5WlRyRlJKeEVUWVVHT0dUYkpMMWMiLCJleHAiOjE0NDQ5OTI4NjYsImlhdCI6MTQ0NDk4OTI2Niwic3ViIjoiODU3NTVFNzgtOUMwOS00OUQ0LTg4MTQtRUYyNUYyN0I5OTMyIiwiZW1haWwiOiJ0ZXN0dXNlciIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJub25jZSI6InR5RWFBU1lsdjkwdSJ9.BuH4SfLzrNa1hhuVXnmBfxg_Pojk2ikVRKtskFHGrI7gUniMyJQdQGacbkDnfj1IlzsWyrOSocxwiZ_aSLxDNRlE9RbKbKCEhGF-_hOb7nCHn53ySFDPoMAPCOc7V0E3tjNaMUR2QiO31kk2x53OJxskcpDK0V7k2rf2z-NOeAgEMx3CT1TraWoZXrzjrKxcajAB-G205aHUvJ0IMPcVA5hopTcvwcIzsXD6RLTNObH-22ycVTUobSvjGp2dOmFysI2lihkAGwhqcaD1Mr2WgSqvLAibA1WnbDol8_rNvDAO6OK7rhkJBmWs1wZWqSwpMnF4goOf9YMkdgOyK98neQ
1.859353 [ERROR] NoSuitableSigningKeys:No key with kid: 2AAD3DAF
Result
PARTIAL RESULT
```
Can someone please advise how to fix this problem?
More information about the Openid-specs-ab
mailing list