OAUTH 2.0 oidc_proto_jwt_verify: JWT signature verification failed cjose_jws_verify failed: error:02000068:rsa routines::bad signature

[amrvka]

Hello community,

can anybody help me using OAUTH 20 module in Apache 2.4 please?
( i know there is a successor module oauth2 but i dont know how to install it by not interfering existing rpm installations)

when i use the module openid-connect everything is fine.

when i want to login using a bearer token then i have to change the module to OAUTH20

There also: everything works fine without masses of configuration needed - except the JWT token validation.

My JWKs URI is set to https://login.microsoftonline.com/ -mytenantguid- /discovery/v2.0/keys

I see in apache log:
oidc_http_request: response={"keys":[{"kty":"RSA","use":"sig","kid":" .... }
oidc_proto_jwks_key_get: search for kid "3PaK..." or "thumbprint x5t "3PaK..."
oidc_proto_jwks_key_get: found matching kid: "3PaK..."
oidc_proto_jwks_uri_keys: returning 1 key(s) obtained from the (possibly cached) JWKs URI

and then the next line stops my OAUTH login :

oidc_proto_jwt_verify: JWT signature verification failed: [src/jose.c:1221: oidc_jwt_verify]: cjose_jws_verify failed: error:02000068:rsa routines::bad signature [file: jws.c, function: _cjose_jws_verify_sig_rs, line: 955]

i use SLES 15 SP4 apache2-mod_auth_openidc-2.3.8
then i upgraded to
SLES 15 SP6 apache2-mod_auth_openidc-2.4.16.3 (using an additional apache build service repository (https://build.opensuse.org/repositories/Apache:Modules/apache2-mod_auth_openidc)

But on both versions i have the same behaviour.

I've read that the error:02000068:rsa routines::bad signature ... has something to do with OPENSSL_ia32cap but i don't know further.

Can anybody help me verifying the JWT token?

Thank you
Andy

[amrvka]

please can anybody maybe just give me a hint what i can do regarding this line:

oidc_proto_jwt_verify: JWT signature verification failed: [src/jose.c:1221: oidc_jwt_verify]: cjose_jws_verify failed: error:02000068:rsa routines::bad signature [file: jws.c, function: _cjose_jws_verify_sig_rs, line: 955]

?
Best regards
Andy

[zandbelt]

most probably the wrong key has been configured

[amrvka]

thank you for your info. I did not knew that.
Well my OpenID/Oauth IDP is Azure/Entra ID.

If i create / register an (enterprise) application there then everything regarding keys is preconfigured and i can see each endpoint for saml/oauth/openid discovery etc.
i can see the Azure keys in json format.

In your apache module i just configured a client secret and its client id.

Do i have to configure a client jws/jwt key on my apache server too?

OpenID module works ... but not oauth Auth mechanism.

Please read theses lines and i hope you or someone else has additional hints.
Or is it a bug in the module and i should create a ticket?

Have a nice evening