no valid key found in issuer's jwks_uri for key parameters {"kid":"9E5424FCE2CE598655385D1BA87FA3FF0D06030E","alg":"RS256"} #10328

mikele-dev · 2024-03-15T07:41:08Z

mikele-dev
Mar 15, 2024

Dear community,

I am trying to use next-auth for a custom OIDC provider of a customer. In postman I get a token, so the credentials seem correct.
When I use it in my app I get redirected to their idp-website, can login and get redircted to my next.js app on localhost.

Unfortunately I get the error message in my console:

message: `no valid key found in issuer's jwks_uri for key parameters {"kid":"9E5424FCE2CE598655385D1BA87FA3FF0D06030E","alg":"RS256"}`

This is my setting in next-auth:

{
      id: "XXXXX_login",
      name: "XXXXX Login",
      type: "oauth",
      wellKnown: "https://idp.dev.XXXXX.com/auth/.well-known/openid-configuration",
      authorization: {
         params: { scope: "openid email profile offline_access" }
      },
      profile(profile) {
      console.log(profile);
      return {         
      id: profile.sub,
      name: profile.name,
      email: profile.email,
      image: profile.picture,
      };
      },
      clientId: "XXXXX",
      clientSecret: process.env.XXXXX,
   },

Here is the complete log:

✓ Compiled in 192ms (644 modules)                                                                                                                                                                   
 ✓ Compiled /api/auth/[...nextauth] in 115ms (255 modules)                                                                                                                                           
[next-auth][warn][DEBUG_ENABLED]                                                                                                                                                                     
https://next-auth.js.org/warnings#debug_enabled                                                                                                                                                      
 ✓ Compiled in 28ms (255 modules)                                                                                                                                                                    
[next-auth][debug][CREATE_STATE] { value: 'D9oINJ9m_4BdVYMAVpzMmjfC6tMaM6sYd5WaUvdscP4', maxAge: 900 }                                                                                               
[next-auth][debug][GET_AUTHORIZATION_URL] {                                                                                                                                                          
  url: 'https://idp.dev.XXXXX.com/auth/XXXXX/authorize?client_id=XXXXX-XXXXX-2023-dev&scope=openid%20email%20profile%20offline_access&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A3
000%2Fapi%2Fauth%2Fcallback%2FXXXXX_login&state=D9oINJ9m_4BdVYMAVpzMmjfC6tMaM6sYd5WaUvdscP4',                                                                                                        
  cookies: [                                                                                                                                                                                         
    {                                                                                                                                                                                                
      name: '__Secure-next-auth.state',                                                                                                                                                              
      value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..qV0Hu_cNpDQ8qepO.GKI5uq73tlk__BfiGt52vy2JAf86pfwk42JUMP1PQ4MXmBMUI7ZT28eYTR_MfxnLEDJ-nkghX8BswsOcZLJIe8lrPkSvFcdeWt9q7g6WDe9ORD5CLsTp4O9tAFM7I
_LACKSrws1TcTO3sWBC9XUFSEeBNsVRHyXfKxfkltf-K2M_icVMbms.4AYcyGfLQ9J_POhk3FBKAQ',                                                                                                                      
      options: [Object]                                                                                                                                                                              
    }                                                                                                                                                                                                
  ],                                                                                                                                                                                                 
  provider: {                                                                                                                                                                                        
    id: 'XXXXX_login',                                                                                                                                                                               
    name: 'XXXXX Login',                                                                                                                                                                             
    type: 'oauth',                                                                                                                                                                                   
    wellKnown: 'https://idp.dev.XXXXX.com/auth/.well-known/openid-configuration',                                                                                                                    
    authorization: { params: [Object] },                                                                                                                                                             
    profile: [Function: profile],                                                                                                                                                                    
    clientId: 'XXXXX-XXXXX-XXXXXX-dev',                                                                                                                                                              
    clientSecret: 'XXXXXXXX',                                                                                                                                                  
    idToken: true,                                                                                                                                                                                   
    checks: [ 'state' ],                                                                                                                                                                             
    signinUrl: 'https://localhost:3000/api/auth/signin/XXXXX_login',                                                                                                                                 
    callbackUrl: 'https://localhost:3000/api/auth/callback/XXXXX_login'                                                                                                                              
  }                                                                                                                                                                                                  
}                                                                                                                                                                                                    
(node:23547) ExperimentalWarning: The Fetch API is an experimental feature. This feature could change at any time                                                                                    
(Use `node --trace-warnings ...` to show where the warning was created)                                                                                                                              
[next-auth][warn][DEBUG_ENABLED]                                                                                                                                                                     
https://next-auth.js.org/warnings#debug_enabled                                                                                                                                                      
(node:23549) ExperimentalWarning: The Fetch API is an experimental feature. This feature could change at any time                                                                                    
(Use `node --trace-warnings ...` to show where the warning was created)                                                                                                                              
[next-auth][error][OAUTH_CALLBACK_ERROR]                                                                                                                                                             
https://next-auth.js.org/errors#oauth_callback_error no valid key found in issuer's jwks_uri for key parameters {"kid":"9E5424FCE2CE598655385D1BA87FA3FF0D06030E","alg":"RS256"} {                   
  error: RPError: no valid key found in issuer's jwks_uri for key parameters {"kid":"9E5424FCE2CE598655385D1BA87FA3FF0D06030E","alg":"RS256"}                                                        
      at Issuer.queryKeyStore (webpack-internal:///(rsc)/./node_modules/openid-client/lib/helpers/issuer.js:72:15)                                                                                   
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)                                                                                                                  
      at async Client.validateJWT (webpack-internal:///(rsc)/./node_modules/openid-client/lib/client.js:963:20)                                                                                      
      at async Client.validateIdToken (webpack-internal:///(rsc)/./node_modules/openid-client/lib/client.js:651:53)                                                                                  
      at async Client.callback (webpack-internal:///(rsc)/./node_modules/openid-client/lib/client.js:430:13)                                                                                         
      at async oAuthCallback (webpack-internal:///(rsc)/./node_modules/next-auth/core/lib/oauth/callback.js:118:22)                                                                                  
      at async Object.callback (webpack-internal:///(rsc)/./node_modules/next-auth/core/routes/callback.js:18:79)                                                                                    
      at async AuthHandler (webpack-internal:///(rsc)/./node_modules/next-auth/core/index.js:202:38)                                                                                                 
      at async NextAuthRouteHandler (webpack-internal:///(rsc)/./node_modules/next-auth/next/index.js:50:30)                                                                                         
      at async NextAuth._args$ (webpack-internal:///(rsc)/./node_modules/next-auth/next/index.js:85:24)                                                                                              
      at async /Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:6:63809                     
      at async eU.execute (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:6:53964)        
      at async eU.handle (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:6:65062)         
      at async doRender (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/base-server.js:1333:42)                                  
      at async cacheEntry.responseCache.get.routeKind (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/base-server.js:1543:40)    
      at async DevServer.renderToResponseWithComponentsImpl (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/base-server.js:1463:2
8)                                                                                                                                                                                                   
      at async DevServer.renderPageComponent (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/base-server.js:1856:24)             
      at async DevServer.renderToResponseImpl (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/base-server.js:1894:32)            
      at async DevServer.pipeImpl (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/base-server.js:911:25)                         
      at async NextNodeServer.handleCatchallRenderRequest (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/next-server.js:271:17) 
      at async DevServer.handleRequestImpl (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/base-server.js:807:17)                
      at async /Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/dev/next-dev-server.js:331:20                                      
      at async Span.traceAsyncFn (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/trace/trace.js:151:20)                                 
      at async DevServer.handleRequest (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/dev/next-dev-server.js:328:24)            
      at async invokeRender (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/lib/router-server.js:163:21)                         
      at async handleRequest (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/lib/router-server.js:342:24)                        
      at async NextCustomServer.requestHandlerImpl [as requestHandler] (/Users/XXXXX/Desktop/sammlung/GESCHÄFT/Development/XXXXX-XXXXX-frontend/node_modules/next/dist/server/lib/router
-server.js:366:13) {                                                                                                                                                                                 
    name: 'OAuthCallbackError',                                                                                                                                                                      
    code: undefined                                                                                                                                                                                  
  },                                                                                                                                                                                                 
  providerId: 'XXXXX_login',                                                                                                                                                                         
  message: `no valid key found in issuer's jwks_uri for key parameters {"kid":"9E5424FCE2CE598655385D1BA87FA3FF0D06030E","alg":"RS256"}`                                                             
}

Here is the content of the .well-known:

{"issuer":"https://idp.dev.XXXXX.com/auth","jwks_uri":"https://idp.dev.XXXXX.com/auth/.well-known/openid-configuration/jwks","authorization_endpoint":"https://idp.dev.XXXXX.com/auth/connect/authorize","token_endpoint":"https://idp.dev.XXXXX.com/auth/connect/token","userinfo_endpoint":"https://idp.dev.XXXXX.com/auth/connect/userinfo","end_session_endpoint":"https://idp.dev.XXXXX.com/auth/connect/endsession","check_session_iframe":"https://idp.dev.XXXXX.com/auth/connect/checksession","revocation_endpoint":"https://idp.dev.XXXXX.com/auth/connect/revocation","introspection_endpoint":"https://idp.dev.XXXXX.com/auth/connect/introspect","frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"id_token_signing_alg_values_supported":["RS256"],"subject_types_supported":["public"],"code_challenge_methods_supported":["plain","S256"],"request_parameter_supported":true}

And here of the jwks configuation:

{"keys":[{"kty":"RSA","use":"sig","kid":"9E5424FCE2CE598655385D1BA87FA3FF0D06030E","x5t":"nlQk_OLOWYZVOF0bqH-j_w0GAw4","e":"AQAB","n":"1_6_PTp9geeqtsYYmcqELEHC5ziquEdKGCM7GIkAn50qP8bQcqL7dvAm5cRK9MLUlIh58ArbnB8U6MQ1yMMa_dbNzSl35iKvVU3H92qWR0ne5OQ_k7zLLSZIoQJ_wTNw7AjHjgtGINQnkDatD5Z5FwVt_l7znE3zcHRAo5PIbVe77l_qmpD4VAPeYpCUwegNLthDCg1TChNEtAasy0ZPdRh1LquPSwedhyQBLhGG5ejRwYKhSK_DIiEK1Gwxa7fk2sW-RcJjJOFyrP3SBlr5X2M0hEw6wxjRLz0s4Wm7P_5tnVGqsjn7LR_XmXksLzwGkBkjshAZAOG4iEuOZrkwMLgwifAqM1sD3v2LzMQJk8pMiWXpwsddm7MGO14dnNLkDwXj_-xkrxnOYIeE6W5Sbi0XEBq-l5IF44QXvpDvkm-LCtv-aHGv_76qPPkYQGHqgslYy0T4_MQd0SCuyEsns9HT-Av7f0mi134l5IfdItTcCGRLXkwwEvfQY4bA8SGqWJEyl0ZzGpXNCSpItNYQANDvufIrn3pnmrqV0Gl8qIt9u3qWMdycRbqTuoRBR4inoLS7eYcVtg9fz81N4h8nZd9uICGZKIcF61M0eSTjnYCObxEPSsf3AlQ4PyPw8vSz2ix-l7j7VDJ8Nly9i3_yosSdaS0mqZX8LBeVPAw5QjE","x5c":["MIIFuzCCA6OgAwIBAgIUQ4ekjezTiJZ4CnJKObWpimm09IQwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCREUxGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0dGVtYmVyZzETMBEGA1UEBwwKU2Nocm96YmVyZzETMBEGA1UECgwKSEFLUk8gR21iSDEXMBUGA1UEAwwOSEFLUk8gSWRlbnRpdHkwHhcNMTkxMTEzMTMyNDA2WhcNMjkxMjMwMTMyNDA2WjBtMQswCQYDVQQGEwJERTEbMBkGA1UECAwSQmFkZW4tV3VlcnR0ZW1iZXJnMRMwEQYDVQQHDApTY2hyb3piZXJnMRMwEQYDVQQKDApIQUtSTyBHbWJIMRcwFQYDVQQDDA5IQUtSTyBJZGVudGl0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANf+vz06fYHnqrbGGJnKhCxBwuc4qrhHShgjOxiJAJ+dKj/G0HKi+3bwJuXESvTC1JSIefAK25wfFOjENcjDGv3Wzc0pd+Yir1VNx/dqlkdJ3uTkP5O8yy0mSKECf8EzcOwIx44LRiDUJ5A2rQ+WeRcFbf5e85xN83B0QKOTyG1Xu+5f6pqQ+FQD3mKQlMHoDS7YQwoNUwoTRLQGrMtGT3UYdS6rj0sHnYckAS4RhuXo0cGCoUivwyIhCtRsMWu35NrFvkXCYyThcqz90gZa+V9jNIRMOsMY0S89LOFpuz/+bZ1RqrI5+y0f15l5LC88BpAZI7IQGQDhuIhLjma5MDC4MInwKjNbA979i8zECZPKTIll6cLHXZuzBjteHZzS5A8F4//sZK8ZzmCHhOluUm4tFxAavpeSBeOEF76Q75Jviwrb/mhxr/++qjz5GEBh6oLJWMtE+PzEHdEgrshLJ7PR0/gL+39Jotd+JeSH3SLU3AhkS15MMBL30GOGwPEhqliRMpdGcxqVzQkqSLTWEADQ77nyK596Z5q6ldBpfKiLfbt6ljHcnEW6k7qEQUeIp6C0u3mHFbYPX8/NTeIfJ2XfbiAhmSiHBetTNHkk452Ajm8RD0rH9wJUOD8j8PL0s9osfpe4+1QyfDZcvYt/8qLEnWktJqmV/CwXlTwMOUIxAgMBAAGjUzBRMB0GA1UdDgQWBBTIGIfIX/nWA4KFs2dii7BvxATKNDAfBgNVHSMEGDAWgBTIGIfIX/nWA4KFs2dii7BvxATKNDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQC9JqVXE0djJSMbm8G1CMsic1LOvwggekiqx2y8puyo7oinhu/6OOZxirct4UEHpLit7ljnFiYQeDqpdHTUH7GqZA+xEeg391CUz/VADE8zbHXsqmlBHiQOHI5QlkLodeC6nI4rMeyRdLQr3V1btCLHUylRf5uMAusHxmOmjMW/9w80VDrUUWdh9yinKZ1Ehj1aon7RPLAlG6W/1B5wpCtAf+g0N06wOiVGzGnsW4vTW6z1EHGn2cPhTN3vQQEQezn4rdR89r9a7SQAeJ17k4SSUf/RTq4Vy56S/FccsfbYv3YvXQ+Y5RahUdLC+Rx1Mw8Jkk9RpufqNfehoOrntdDi4Dt97SSuQrafcA9GSloc2DjgyI806LC/lkvLAjrKrjU2qddRHbWREkdTNFwl2si17SFGNu8BVnN6ERv9aPc5ScI+XTRw01xbsKbzyjSfz8Eu0+zLkp+VCC0VldVtIfIHdvTgQJIoV+blvZtgF1PWs0CKNNkdXAb8wv4I6GGGLPUS2TOZAxKPMGT8zwyTn3a30to5AUFrMdHkLymkGi+paXy8eSpxLQrrQCnKfSBTt2H00AlgzbhX1e6Q9m63qtYzZDCUeHp3LQlbo2/K0dOZyTXrqVrsBknc7K5iKg2Kz67a+9U8IqFblFIX+WdUQqw1P0s4D3JPMZTa7hhjaLzAxw=="],"alg":"RSA"}]}

At the very end you can see the alg "RSA". Could this be a mismatch?

I also tried to define it in next-auth like this:

{
      id: "XXXXX_login",
      name: "XXXXX Login",
      type: "oauth",
      token: "https://idp.dev.XXXXX.com/auth/connect/token",
      issuer:  "https://idp.dev.XXXXX.com/auth",
      jwks_endpoint: "https://idp.dev.XXXXX.com/auth/.well-known/openid-configuration/jwks",
      client: {
         authorization_signed_response_alg: 'RSA',
         id_token_signed_response_alg: 'RSA'
     },

      authorization: {
         url: "https://idp.dev.XXXXX.com/auth/connect/authorize",
         params: { scope: "openid email profile offline_access" }
      },
      profile(profile) {
      console.log(profile);
      return {         
      id: profile.sub,
      name: profile.name,
      email: profile.email,
      image: profile.picture,
      };
      },
      clientId: "XXXXX-XXXXX-XXXXX-XXXXX",
      clientSecret: process.env.XXXXX_CLIENT_SECRET,
   },

AND with RS256

{
      id: "XXXXX_login",
      name: "XXXXX Login",
      type: "oauth",
      token: "https://idp.dev.XXXXX.com/auth/connect/token",
      issuer:  "https://idp.dev.XXXXX.com/auth",
      jwks_endpoint: "https://idp.dev.XXXXX.com/auth/.well-known/openid-configuration/jwks",
      client: {
         authorization_signed_response_alg: 'RS256',
         id_token_signed_response_alg: 'RS256'
     },

      authorization: {
         url: "https://idp.dev.XXXXX.com/auth/connect/authorize",
         params: { scope: "openid email profile offline_access" }
      },
      profile(profile) {
      console.log(profile);
      return {         
      id: profile.sub,
      name: profile.name,
      email: profile.email,
      image: profile.picture,
      };
      },
      clientId: "XXXXX-XXXXX-XXXXX-XXXXX",
      clientSecret: process.env.XXXXX_CLIENT_SECRET,
   },

Did not work as well.

Thank you very much for your help! I appreciate it!
Michael

mikele-dev · 2024-03-20T15:26:52Z

mikele-dev
Mar 20, 2024
Author

No one has an idea? I would appreciate help on this a lot! :)

0 replies

ionutcirja · 2024-06-13T14:13:55Z

ionutcirja
Jun 13, 2024

Any solution for this please?

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

no valid key found in issuer's jwks_uri for key parameters {"kid":"9E5424FCE2CE598655385D1BA87FA3FF0D06030E","alg":"RS256"} #10328

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

no valid key found in issuer's jwks_uri for key parameters {"kid":"9E5424FCE2CE598655385D1BA87FA3FF0D06030E","alg":"RS256"} #10328

mikele-dev Mar 15, 2024

Replies: 2 comments

mikele-dev Mar 20, 2024 Author

ionutcirja Jun 13, 2024

mikele-dev
Mar 15, 2024

mikele-dev
Mar 20, 2024
Author

ionutcirja
Jun 13, 2024