JWT::InvalidIssuerError on Decode JWT (OpenID Connect)

support
1

Hello :wave:! Good afternoon, I have a question about the OpenID Connect plugin

I’m trying to use ID Uruguay (A government OpenID Connect “provider”) with Discourse, I signed up for the test server and they sent me the necessary data.

All the flow seems to work fine except for the callback, apparently the Issuer sent in the JWT is not the same as in the discovery document.
I already contacted Support and they said that basically the error was from Discourse (Which I don’t think so).

Is it possible to somehow add another value to “excepted issuer”?

Discovery document: https://auth-testing.iduruguay.gub.uy/oidc/v1/.well-known/openid-configuration

Logs 
OIDC Log: Loaded JWT

---
iss: https://auth-testing.iduruguay.gub.uy/oidc/v1
sub: '7630'
aud: '862271'
exp: 1656363519
iat: 1656362919
auth_time: 1656362918
amr:
- urn:iduruguay:am:password
acr: urn:iduruguay:nid:1
nonce: 94d556d732db0db8dff0e09a174c27f2943cfe1740845abf537ff768e96c8ddf
at_hash: eokMw_xDlqb6cXB-DkDA_A
pais_documento:
  codigo: uy
  nombre: Uruguay
tipo_documento:
  codigo: 68909
  nombre: C.I.
numero_documento: '54682086'
email: alexander.barrios@estudiante.ceibal.edu.uy
email_verified: true
name: Yanquis Alexander Barrios Espíndola
given_name: Yanquis Alexander
family_name: Barrios Espíndola
nickname: uy-ci-54682086
idp: Usuario gub.uy

(oidc) Authentication failure! jwt_decode_failed: JWT::InvalidIssuerError, Invalid issuer. Expected ["https://auth-testing.iduruguay.gub.uy"], received https://auth-testing.iduruguay.gub.uy/oidc/v1

From already thank you very much! :hugs:

2

Hmm.

From the location of the discovery document, you need to assume that the issuer is https://auth-testing.iduruguay.gub.uy/oidc/v1 since the discovery document is the issuer with /.well-known/openid-configuration appended to it.

Now the document itself says issuer "https://auth-testing.iduruguay.gub.uy"

And then we have the OpenID Connect Discovery document which states

And the two requirements in the last sentence are not met. The iss claim value is identical to the Issuer URL that was used to retrieve the configuration, but both are NOT identical to the issuer value returned.

So for what it is worth, I think they are wrong and you are right. Too bad that does not get you anywhere.

3 Likes
3

Interesting fact, I did not know :thinking:

I reported this and linked to your answer, I’ll wait for a response from ID Uruguay support :sleeping:.

Right now I am using a pastebin with the correct issuer (Anyway, it was for testing) and everything seems to work correctly, I hope that the support team can solve this detail before applying to ID Uruguay in Production mode

2 Likes
4

I’m surprised that that does work :slight_smile: , since the spec says

5

Well, I got an answer, and they just won’t fix it “because there is no problem on their side and it’s widely used” :slight_smile:

I don’t see anything in the documentation to check the JWT, so that must be why it “just works” :thinking:

Documentation (Google Translate):

I created a “proxy” for discovery document that modifies the returned issuer, and it also “just works”, I reported this and they accepted it :slight_smile:

I feel that in the future this will fail because it does not follow the specifications but for now it is fine.

Thanks Richard for taking the time to help! :hugs:

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.