BA
Better Auth2d ago
Jakub Różycki

[1.4.0] New jwks private key generated on each request?

I'm not exactly sure if that's a but or a feature, but after upgrading to 1.4.0 my JWT-based service is not able to verify tokens sent by client. After digging deeper I see the table jwks on local env has already >400 rows, each with different private key and 100 of them is returned on /api/auth/jwks which I guess is default list limit. Feels like each request create a new priv key entry (not sure which request) 
select count(*) from jwks;

[
  {
    "count": "459"
  }
]
select count(*) from jwks;

[
  {
    "count": "459"
  }
]
My jwt server plugin setup: 
jwt({
  jwt: {
    definePayload: async (data) => {
      // fetch additional details for the JWT token

      return { ...data, details };
    },
  },
}),
jwt({
  jwt: {
    definePayload: async (data) => {
      // fetch additional details for the JWT token

      return { ...data, details };
    },
  },
}),
In the service I check JWT which throws 
const JWKS = createRemoteJWKSet(
  new URL(`${minionConfig.MINION_THE_BRIDGE_URL}/api/auth/jwks`),
);

export const validateJWTToken = async (token: string) => {
  try {
    const { payload } = await jwtVerify<JWTContent>(token, JWKS, {
      issuer: minionConfig.MINION_THE_BRIDGE_URL,
      audience: minionConfig.MINION_THE_BRIDGE_URL,
    });

    return payload;
  } catch (error) {
    logger.error({
      msg: "Token validation failed",
      error: error,
      token: token,
    });

    throw error;
  }
};
const JWKS = createRemoteJWKSet(
  new URL(`${minionConfig.MINION_THE_BRIDGE_URL}/api/auth/jwks`),
);

export const validateJWTToken = async (token: string) => {
  try {
    const { payload } = await jwtVerify<JWTContent>(token, JWKS, {
      issuer: minionConfig.MINION_THE_BRIDGE_URL,
      audience: minionConfig.MINION_THE_BRIDGE_URL,
    });

    return payload;
  } catch (error) {
    logger.error({
      msg: "Token validation failed",
      error: error,
      token: token,
    });

    throw error;
  }
};
The error: 
{
    "code": "ERR_JWKS_NO_MATCHING_KEY",
    "name": "JWKSNoMatchingKey"
}
{
    "code": "ERR_JWKS_NO_MATCHING_KEY",
    "name": "JWKSNoMatchingKey"
}
2 Replies
Jakub Różycki
Jakub RóżyckiOP2d ago
After short investigation I'd say (not 100% sure) that 1.4.0-beta.25 is last working version which generates single priv key
Ping
Ping2d ago
cc @bekacru

Did you find this page helpful?