[JWT] Problem Validating Token with RS256 Public Key

Forge Component
(5)
Published on 2018-10-10 by João Almeida
5 votes
Published on 2018-10-10 by João Almeida

Hi,

First of all, thanks for creating this component, it really helps implementing OpenID Connect flows.

Now the problem. With the identity provider I am using, it is only possible to retrieve the RS256 public key using the exposed endpoints. When I try to validate a token with the public key, there is always the error: 'Error opening public key key.' You can see an example of the key below:

-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgNtTx1tyQpvHr2WrVXxwV8v7F2X3cza9CAk1wO6nmiMVjofAyYYri9rYsGwjrK/BytcV4Rx63VKbb/QrhPpaRR0n5Z73L9LWb/sgp2IFFUBO8FtoQukmHHM6Y00ZhvKqZrIRLlvSg2ih5ihhgt3Uc+vABymWvuGmlzM3vLv0c/CYWF+CVFz24D04kvezC+D4MOrLxV7J9bep8EAhnfqe/1nMIVbZB/zEIeP5rbuURrWqo9PWzJ/7mQDswNZm5jSFn8+22I3tDEnQf/o9q5ENena0bEMywqpT7gFZcRbO9DZICU4LItzJeRl9wtr2puL+OVMDIDgXUHsdQYjyA9bD4wIDAQAB
-----END RSA PUBLIC KEY-----

I am able to validate the token in jwt.io using a similar key like above, however in the OutSystems extension I always get an error.

I noticed that it is possible to validate the token with the RS256 certificate, both in jwt.io and in the OutSystems extension. However, I can only obtain this certificate by copying it from the admin console of the identity provider, as it is not exposed in any endpoint. This is not a good solution as it would need to be configured statically somewhere and not retrieved dynamically. Example certificate below:

-----BEGIN CERTIFICATE-----
MIIClzCCAX8CBgFovsAaUjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARJTU9CMB4XDTE5MDIwNTE3Mzk0N1oXDTI5MDIwNTE3NDEyN1owDzENMAsGA1UEAwwESU1PQjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIDbU8dbckKbx69lq1V8cFfL+xdl93M2vQgJNcDup5ojFY6HwMmGK4va2LBsI6yvwcrXFeEcet1Sm2/0K4T6WkUdJ+We9y/S1m/7IKdiBRVATvBbaELpJhxzOmNNGYbyqmayES5b0oNooeYoYYLd1HPrwAcplr7hppczN7y79HPwmFhfglRc9uA9OJL3swvg+DDqy8VeyfW3qfBAIZ36nv9ZzCFW2Qf8xCHj+a27lEa1qqPT1syf+5kA7MDWZuY0hZ/PttiN7QxJ0H/6PauRDXp2tGxDMsKqU+4BWXEWzvQ2SAlOCyLcyXkZfcLa9qbi/jlTAyA4F1B7HUGI8gPWw+MCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACZyUJ4Gm7H0WnHWR9Lv6bvxoh3S5phH3SkqXMQUPGzPKAwxMRbGnMqdbh9kids/G2LKqLce906dJnmhC2zkLTNiQUu7prBTu4thEWdfeSqgMa2a5BxzvwT7JrL7xGlm7bWec0xA6MRV+TTK6YdymPSbRilZlb1vvXMpfO6De0PHneAhGpYsHq6EtQOUjFWe/z3Ek9UQFcDvvNjXFjw5iiHmIUSOJASgcC8Ahire/VWk7IHNEuyxwmUTPj8HxgPPioPQ10IPqpfe0dspeh/lZL5HTk6xxAfXsUZ+FVFOko4RzpKDCEr9FdZzV1e1w5qTVoxPM90a8HxU6iq0tT8DVgQ==
-----END CERTIFICATE-----


Is there any way to get around this error so that the public key can be used instead of the certificate or is it necessary to update the OutSystems extension C# code for this to work?

Best Regards,

João Mateus


Hi João, let me test you scenario and I'll get back to you.