client_assertion token error #1241

manasirg · 2024-08-02T17:57:24Z

manasirg
Aug 2, 2024

While using oidc for private_key_jwt, The login flow works great but the client assertion fails because the "kid" in the client_assertion token does not match what is associated with the public cert configured in the provider. Where does the oidc obtain the kid for signing client assertion? I am using the following config.

OIDCPublicKeyFiles /usr/local/apache2/conf/server.crt
OIDCPrivateKeyFiles /usr/local/apache2/conf/server.key 
OIDCProviderTokenEndpointAuth private_key_jwt

Is there more configuration required?

zandbelt · 2024-08-03T09:56:36Z

zandbelt
Aug 3, 2024
Maintainer

I'm not sure I follow: so the IDP rejects the client assertion with a kid mismatch error? The logs would help.

FWIW: by default the kid is calculated from the cert fingerprint but you can specify it manually using the syntax:

OIDCPublicKeyFiles <kid>#<filename>

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

client_assertion token error #1241

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

client_assertion token error #1241

Uh oh!

manasirg Aug 2, 2024

Replies: 1 comment

Uh oh!

zandbelt Aug 3, 2024 Maintainer

manasirg
Aug 2, 2024

zandbelt
Aug 3, 2024
Maintainer