3 replies

[1.4.0] New jwks private key generated on each request?

I'm not exactly sure if that's a but or a feature, but after upgrading to 1.4.0 my JWT-based service is not able to verify tokens sent by client. After digging deeper I see the table

jwks

jwks

on local env has already >400 rows, each with different private key and 100 of them is returned on

/api/auth/jwks

/api/auth/jwks

which I guess is default list limit. Feels like each request create a new priv key entry (not sure which request)

select count(*) from jwks;

[
  {
    "count": "459"
  }
]

select count(*) from jwks;

[
  {
    "count": "459"
  }
]

My jwt server plugin setup:

jwt({
  jwt: {
    definePayload: async (data) => {
      // fetch additional details for the JWT token

      return { ...data, details };
    },
  },
}),

jwt({
  jwt: {
    definePayload: async (data) => {
      // fetch additional details for the JWT token

      return { ...data, details };
    },
  },
}),

In the service I check JWT which throws

const JWKS = createRemoteJWKSet(
  new URL(`${minionConfig.MINION_THE_BRIDGE_URL}/api/auth/jwks`),
);

export const validateJWTToken = async (token: string) => {
  try {
    const { payload } = await jwtVerify<JWTContent>(token, JWKS, {
      issuer: minionConfig.MINION_THE_BRIDGE_URL,
      audience: minionConfig.MINION_THE_BRIDGE_URL,
    });

    return payload;
  } catch (error) {
    logger.error({
      msg: "Token validation failed",
      error: error,
      token: token,
    });

    throw error;
  }
};

const JWKS = createRemoteJWKSet(
  new URL(`${minionConfig.MINION_THE_BRIDGE_URL}/api/auth/jwks`),
);

export const validateJWTToken = async (token: string) => {
  try {
    const { payload } = await jwtVerify<JWTContent>(token, JWKS, {
      issuer: minionConfig.MINION_THE_BRIDGE_URL,
      audience: minionConfig.MINION_THE_BRIDGE_URL,
    });

    return payload;
  } catch (error) {
    logger.error({
      msg: "Token validation failed",
      error: error,
      token: token,
    });

    throw error;
  }
};

The error:

{
    "code": "ERR_JWKS_NO_MATCHING_KEY",
    "name": "JWKSNoMatchingKey"
}

{
    "code": "ERR_JWKS_NO_MATCHING_KEY",
    "name": "JWKSNoMatchingKey"
}

[1.4.0] New jwks private key generated on each request?

I'm not exactly sure if that's a but or a feature, but after upgrading to 1.4.0 my JWT-based service is not able to verify tokens sent by client. After digging deeper I see the table

jwks

jwks

on local env has already >400 rows, each with different private key and 100 of them is returned on

/api/auth/jwks

/api/auth/jwks

which I guess is default list limit. Feels like each request create a new priv key entry (not sure which request)

select count(*) from jwks;

[
  {
    "count": "459"
  }
]

select count(*) from jwks;

[
  {
    "count": "459"
  }
]

My jwt server plugin setup:

jwt({
  jwt: {
    definePayload: async (data) => {
      // fetch additional details for the JWT token

      return { ...data, details };
    },
  },
}),

jwt({
  jwt: {
    definePayload: async (data) => {
      // fetch additional details for the JWT token

      return { ...data, details };
    },
  },
}),

In the service I check JWT which throws

const JWKS = createRemoteJWKSet(
  new URL(`${minionConfig.MINION_THE_BRIDGE_URL}/api/auth/jwks`),
);

export const validateJWTToken = async (token: string) => {
  try {
    const { payload } = await jwtVerify<JWTContent>(token, JWKS, {
      issuer: minionConfig.MINION_THE_BRIDGE_URL,
      audience: minionConfig.MINION_THE_BRIDGE_URL,
    });

    return payload;
  } catch (error) {
    logger.error({
      msg: "Token validation failed",
      error: error,
      token: token,
    });

    throw error;
  }
};

const JWKS = createRemoteJWKSet(
  new URL(`${minionConfig.MINION_THE_BRIDGE_URL}/api/auth/jwks`),
);

export const validateJWTToken = async (token: string) => {
  try {
    const { payload } = await jwtVerify<JWTContent>(token, JWKS, {
      issuer: minionConfig.MINION_THE_BRIDGE_URL,
      audience: minionConfig.MINION_THE_BRIDGE_URL,
    });

    return payload;
  } catch (error) {
    logger.error({
      msg: "Token validation failed",
      error: error,
      token: token,
    });

    throw error;
  }
};

The error:

{
    "code": "ERR_JWKS_NO_MATCHING_KEY",
    "name": "JWKSNoMatchingKey"
}

{
    "code": "ERR_JWKS_NO_MATCHING_KEY",
    "name": "JWKSNoMatchingKey"
}

[1.4.0] New jwks private key generated on each request?

[1.4.0] New jwks private key generated on each request?

Similar Threads