[Openid-specs-ab] Issue #180: Got "No key with kid: 2AAD3DAF" but key is in JWKS (openid/certification)

Jan Singer issues-reply at bitbucket.org
Fri Oct 16 10:04:35 UTC 2015


New issue 180: Got "No key with kid: 2AAD3DAF" but key is in JWKS
https://bitbucket.org/openid/certification/issues/180/got-no-key-with-kid-2aad3daf-but-key-is-in

Jan Singer:

Although the key with the kid "2AAD3DAF" is in JWKS, I get an error that it is not:

```
#!text


Test info
Profile: {'openid-configuration': 'config', 'response_type': 'id_token', 'crypto': 'none', 'registration': 'static'}
Timestamp: 2015-10-16T09:54:27Z
Test description: Does the OP sign the ID Token and with what [Basic, Implicit, Hybrid]
Test ID: OP-IDToken-Signature
Issuer: https://singertc-prod.apigee.net/common/oidc
Test output


__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
[-]
	status: WARNING
	info: No key with kid: 2AAD3DAF

Trace output


0.000293 ------------ DiscoveryRequest ------------
0.000306 Provider info discover from 'https://singertc-prod.apigee.net/common/oidc'
0.000312 --> URL: https://singertc-prod.apigee.net/common/oidc/.well-known/openid-configuration
0.134320 ProviderConfigurationResponse: {
  "authorization_endpoint": "https://singertc-prod.apigee.net/common/oidc/authorize",
  "claims_parameter_supported": false,
  "grant_types_supported": [
    "password",
    "authorization_code",
    "client_credentials",
    "refresh_token"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "HS256",
    "HS384",
    "HS512"
  ],
  "issuer": "https://singertc-prod.apigee.net/common/oidc",
  "jwks_uri": "https://singertc-prod.apigee.net/common/oidc/jwks.json",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "response_types_supported": [
    "code",
    "code id_token",
    "id_token",
    "token id_token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://singertc-prod.apigee.net/common/oidc/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "userinfo_endpoint": "https://singertc-prod.apigee.net/common/oidc/userinfo",
  "version": "3.0"
}
0.193509 JWKS: {
  "keys": [
    {
      "e": "AQAB",
      "kid": "2AAD3DAF",
      "kty": "RSA",
      "n": "iHulgJLFDr6X-ocyivlOTH6Dhf-ioiuGs1FqjDZHbcVR6CbAq7PNRYZ2zdV6K8o3vrNvcHClkT_CukccjpHieE9grkVMFTZUSRLZ-qCOSg5r_PEBZvZCu0Nw28aNeExlpySvpqlvKsXTlSlyjvlOzr1NG2FjhKLf_mECrTtgzz12zWH-QXje2yareOfEka8qkojqCnBL7Y1yGIOAddHCs9NjDyQhubW7oJqKah8PbHRCXlw87b7_yOWduKGvWhrRZ2vlkQc70kefIUG-44BVQQ5YtHl-C3UpvXikxCIXpAoL4xjBVfgu3X5PN-7p4pdK65A4XKqe20bhOGdaJh2KYw",
      "use": "sig"
    }
  ]
}
0.195099 ------------ AuthorizationRequest ------------
0.195527 --> URL: https://singertc-prod.apigee.net/common/oidc/authorize?nonce=tyEaASYlv90u&state=8LPkXiqyx8gFreIa&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60330%2Fauthz_cb&response_type=id_token&client_id=j01OdGJazXcyZTrFRJxETYUGOGTbJL1c&scope=openid
0.195534 --> BODY: None
0.581689 QUERY_STRING:
1.855353 <-- state=8LPkXiqyx8gFreIa&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjJBQUQzREFGIn0.eyJpc3MiOiJodHRwOi8vc2luZ2VydGMtcHJvZC5hcGlnZWUubmV0L2NvbW1vbi9vaWRjIiwiYXVkIjoiajAxT2RHSmF6WGN5WlRyRlJKeEVUWVVHT0dUYkpMMWMiLCJleHAiOjE0NDQ5OTI4NjYsImlhdCI6MTQ0NDk4OTI2Niwic3ViIjoiODU3NTVFNzgtOUMwOS00OUQ0LTg4MTQtRUYyNUYyN0I5OTMyIiwiZW1haWwiOiJ0ZXN0dXNlciIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJub25jZSI6InR5RWFBU1lsdjkwdSJ9.BuH4SfLzrNa1hhuVXnmBfxg_Pojk2ikVRKtskFHGrI7gUniMyJQdQGacbkDnfj1IlzsWyrOSocxwiZ_aSLxDNRlE9RbKbKCEhGF-_hOb7nCHn53ySFDPoMAPCOc7V0E3tjNaMUR2QiO31kk2x53OJxskcpDK0V7k2rf2z-NOeAgEMx3CT1TraWoZXrzjrKxcajAB-G205aHUvJ0IMPcVA5hopTcvwcIzsXD6RLTNObH-22ycVTUobSvjGp2dOmFysI2lihkAGwhqcaD1Mr2WgSqvLAibA1WnbDol8_rNvDAO6OK7rhkJBmWs1wZWqSwpMnF4goOf9YMkdgOyK98neQ
1.859353 [ERROR] NoSuitableSigningKeys:No key with kid: 2AAD3DAF

Result
PARTIAL RESULT

```

Can someone please advise how to fix this problem?





More information about the Openid-specs-ab mailing list