ESP custom authentication - JWT validation failed: KEY_RETRIEVAL_ERROR

[Fouad Almalki]

I used the custom authentication using ESP proxy, however I got HTTP 401 response for all requests with valid authorization header. Here is the response:

{

  "code": 16,

  "message": "JWT validation failed: KEY_RETRIEVAL_ERROR",

  "details": [

    {

      "@type": "type.googleapis.com/google.rpc.DebugInfo",

      "stackEntries": [],

      "detail": "auth"

    }

  ]

}

I am using RS256 algorithm for encryption, and "Debugger" at jwt.io confirms that the signature of my JWT token is correct and compatible with the public key.

[Fouad Almalki]

I was able to access ESP docker container and I found the following in /var/log/nginx/error.log:

b64.c:147]                  Invalid group. Must be at least 2 bytes.

I googled it and I didn't find anything useful :\

[Fouad Almalki]

This is my public key that I added a link to it as a value of the key "x-jwks_uri":

-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgMLAVIj9IYhJxRyXk8y+ j7D9crcabMAjePmMDQp+rC0FpN/LahEMzMv7qMviZQTaKvbaImeNdjwTGHSvxdWK mBmoqPxDiMZFPF3A1O02WnLpXcX+bJiR9GODTP71nOo+mIaoe6l7g9Cke4CYZneS 4J2THAXB5t/Wl34riwznkuzTzHk6/1/EzfvsVLbpdEUWzG7IGTwsIk2f8cFi/bx5 aAgdrVkS/kCtZZiDI0r3t9BEHo/xVqsiX+mgtRhE17lQFCMaMtpMBiXBMAOs3gQx gYpj9QegiVId+2s542FAL+7sfMUmL06tZFFrNCmF+rIcLEchgMlF+HdXTKIeHcl+ JQIDAQAB -----END PUBLIC KEY-----

[limi...@google.com]

KEY_RETRIEVAL_ERROR means ESP cannot retrieve the public key from "x-jwks_uri". "x-jwks_uri" should point to a page that contains a JSON array of public keys. This page shows an example of public key page (x509 keys): https://www.googleapis.com/oauth2/v1/certs. 

[Fouad Almalki]

OK, the example you mentioned looks like the following:

{
 "7f0493a6cd1a23e405906e0b9c624adade57c969": "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIOWvyBaitrcUwDQYJKoZIhvcNAQEFBQAwNjE0MDIGA1UE\nAxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe\nFw0xNjEyMDExMTQzMzRaFw0xNjEyMDQxMjEzMzRaMDYxNDAyBgNVBAMTK2ZlZGVy\nYXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDGGFrQnosAADDoZomqCXwXo3SOFU4IyiI\ncHOAokHBp4VdFTGM3rMBNWpclEKlyVJoxQYcKtbxDAOr4ukcXwUg9V/Kn6C+MWvc\nKex2HkftfIjLURHB2wCiE4odqW52RkzCgEOtJKHHnBD1j+SBTxtCQ/0aFm4Nkgps\nU0XrQ/A9TTcq0N/u/gWFPKlesWIbrUQlHN+SPFoyKO+XtrcvBY3sCmxMU2SZFAfi\nQvFJ6lYia5PpIBK51X05u9cWCLrFftAqvnGY44r7NhXCWarA+YvwJGy08c9Z0Rhu\nXtUXkAopMOSPd9vH0Qj/dB24gogjOBvnqk5Q5HfbLOIUL9ykJow1AgMBAAGjODA2\nMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG\nAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCSnmhI9muilT+ceGlZEixkgyl55vjR\nlqLkE94/+55xdVDmPgOgqR89nQi+FpHXvotNsna/ecEkAfc+e1qeUdwVfeZmMaTY\nJ28xatexTTYHdaa6BENV//vaMkCb7OHQWO+Mrdrg5tBQOXzlSpl34ul1oFzemObV\nkMPUICnvGYSrV09c6ctG8c+6EuR7DIdtm8ePCkQ0IY7h610Aj+5/gTiJdoZlecwT\nWTRnMwKtybLrr/PRyzDJK5HSDkYHEGFLL8IePdwQNL5F92YEvtDaiGlKliZh4ZOM\nr5dGRYMQld1QNzWmmjJBRI4M/qX/yV9aoa5ljEa+yfCJULv80nt/YYcG\n-----END CERTIFICATE-----\n",
 "1d5d59c82d63fb16fafac7ce26397332bdad517d": "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIBk8vH8i3YGAwDQYJKoZIhvcNAQEFBQAwNjE0MDIGA1UE\nAxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe\nFw0xNjEyMDIxMTQzMzRaFw0xNjEyMDUxMjEzMzRaMDYxNDAyBgNVBAMTK2ZlZGVy\nYXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaoGHXfWExU4pRKkyItawwxJr3tN1O0oL7\nu3Nl+PCsa7vYY2Nl6p54BQPOBbLmGNvJd3XeT7Mkz7UZpFLr+KWPthHt5+kHsvHh\nLRQ8nR9GIU7AVASycAuXw1OnqVDBO0/uFqpIl9QU+MhyqZFUTddp5fRchxrhrJgI\nwzdbVY4zCrPaZt/4t3yvpOMa8GMpt4+GkgcmTWeHmKpwBRRJdw2XRqwkqwBYtVgC\ncdYUHT7revwaVgmWIdN36uEAEd3YKnjtkWcxL/J9ZLn0qKamTjMg+94LGYX3xENX\n9ei+QBUQ27ootiipzzOEg3v99N5dtKbkCB8xOLduMN4lhHxT5QW/AgMBAAGjODA2\nMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG\nAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQBT8JG2YMMWVD0c76+Lg2mlzFz84hDW\noHlFRMfsc2W8bow8swNMconDbeIrpj1iLd8CXiwaQcxP1wce5rKqq1y8ZQfN2OrC\nQrhG4EEpDZqX3nQGFb+t1T+M5aCD0hSVYZZeHAPcx/jip4dJysQ5Z3j7y8m5dF2H\nk2NhQGMJb33eMcrq7WiZrXVeJcZ2eNAanG9b0ZFSTAaDHCqeXl+EHb88mI6UCpT6\nQUXVS23WMTVUIMcWMWA8eoKifADtV/87d8ojiJJR92kWaDc8doyfG6Ek2XTntKWa\nkna+kakjq16ol8OQTUjsv+DkvaB672mDmfxZ50w5J+yhZ0ZKZymZzppl\n-----END CERTIFICATE-----\n",
 "24052083adedcf16095b3c22becaf439ee328545": "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIfaeulYPTD/EwDQYJKoZIhvcNAQEFBQAwNjE0MDIGA1UE\nAxMrZmVkZXJhdGVkLXNpZ25vbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTAe\nFw0xNjExMzAxMTQzMzRaFw0xNjEyMDMxMjEzMzRaMDYxNDAyBgNVBAMTK2ZlZGVy\nYXRlZC1zaWdub24uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNZqC9fiu51y0zy6waYrDWUcRAXpdGonXm\nN3EGkCRWXZ8wgq7HRvqhsjWMpaC5n6QYz7ttjCAhMgoIZ37Oe8Mt/u1eNpd38/VY\nvtxkDj1h9qL1IGsEqihQnlLGpuTWm8N2xD91nP3CpEbc5/iBVpWgBjWPQ9lKWM7F\nRe3ce3o3Xr99IDwfuKS+0lG38jkvxXTJlXAEoGU5UT0N+rOqPtYRPYU4w8kS2Xn4\nJaomSwzpMjLE8dWOzC3hSBAkkWWv10y/v3kSVoe2HUv023ugOzIJ5tcjMg9awO1z\nf99zqiMRWFpuwGDty5F3FUSYhKlJV8ZKfpPYnR1g96/dWNSQCvG9AgMBAAGjODA2\nMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsG\nAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQBLafEINoigB1kaV4nhfla6EYSNDHP0\nVbVWP4JZgwKJ3Ix1zpzmK13u6SIB7eV+xn7hvYSkORBGlaPJEgMAfkdB2dk5yM7Q\nkVlM4n0R6rppjf+7zZYRJCkn9dMJ4lGPt66dGLLDBFwopviQe8KtWk+jf59TRyy9\nno37cFX9eWoyEvJo/y6/ilAyZN+I8oDZJxU1TrnjtqfDASULNr3WddwIZ4hm087E\nP3qEMnGzVa+/0qbbraU0t6uB8iKOKD78lJ94ypFoE3C9YFYr6SWphYWW1X5xge6Q\nIMaBwTbpeyJVvTw9WXjx7aUf7pN/+CYfdfmAFXhi/+SIcu3yqnSefbYT\n-----END CERTIFICATE-----\n"
}

What is the key "7f0493a6cd1a23e405906e0b9c624adade57c969"? Also, my public key begins with "-----BEGIN PUBLIC KEY-----" not "-----BEGIN CERTIFICATE-----", is that OK?

[Fouad Almalki]

Finally, it's working now!

Instead of manually creating the private and public keys, I created a service account from here: https://console.cloud.google.com/iam-admin/serviceaccounts/project

then I created the keys from it :)

[limi...@google.com]

Great that it works now :) Just to answer your previous question. ESP accepts two formats of public keys, JWK set format (https://tools.ietf.org/html/rfc7517#section-5) and X509 format. The example I gave shows X509 format, which requires "certificate". The string "7f0493a6cd1a23e405906e0b9c624adade57c969" is the ID of the certificate/public key. I found a page explaining the difference between a certificate and a key (https://superuser.com/questions/620121/what-is-the-difference-between-a-certificate-and-a-key-with-respect-to-ssl). 

[Fouad Almalki]

This information is not mentioned in the documentation :)

[Jason Allor]

Hi Fouad. We are working on updating our documentation related to auth and security. We'll make sure this information is included. Thanks for your patience!

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/b8f39519-d2ec-455d-b355-4b73c5214597%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Rene Figueroa]

Hi. Now I had same problem. I want to know is x-jwks_uri or x-google-jwks_uri .because in this page mention a second.