Fail to verify a GitLab JWKS URL #294

lenaing · 2024-04-09T15:47:51Z

An upgrade to Vault 1.16.1 with the plugin version between v0.19.0 and v0.20.1 fails to verify a GitLab OIDC url.

Here is a redacted version of the keys :

{
    "keys": [{
            "kty": "RSA",
            "kid": "redacted",
            "e": "AQAB",
            "n": "redacted",
            "use": "sig",
            "alg": "RS256"
        }, {
            "kty": "RSA",
            "kid": "redacted",
            "e": "AQAB",
            "n": "redacted",
            "use": "sig",
            "alg": "RS256"
        }
    ]
}

Here is the error logged when I try to enable a JWKS URL :

[ERROR] auth.jwt.auth_jwt_e54f1181: error checking jwks URL: url=https://gitlab.example.com/oauth/discovery/keys error="oidc: malformed jwt: go-jose/go-jose: unexpected signature algorithm \"HS256\"; expected [\"RS256\" \"RS384\" \"RS512\" \"ES256\" \"ES384\" \"ES512\" \"PS256\" \"PS384\" \"PS512\" \"EdDSA\"]"

The plugin works fine with the same GitLab instance if we stick with Vault 1.15.4.

I can provide more informations if required.

Kind regards,

The text was updated successfully, but these errors were encountered:

tvoran · 2024-04-09T21:52:33Z

Hi @lenaing, that sounds like the issue described here, sorry about that! The external version of v0.20.1 isn't affected by this issue, and v0.20.2 with the fix will be included in Vault 1.16.2.

briantist mentioned this issue Apr 13, 2024

add Vault 1.16.x to CI matrix hvac/hvac#1155

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fail to verify a GitLab JWKS URL #294

Fail to verify a GitLab JWKS URL #294

lenaing commented Apr 9, 2024

tvoran commented Apr 9, 2024

Fail to verify a GitLab JWKS URL #294

Fail to verify a GitLab JWKS URL #294

Comments

lenaing commented Apr 9, 2024

tvoran commented Apr 9, 2024