Verification key is unresolvable

[crawer]

Describe the bug

Hello guys, I hope you all are well.

I've been working on this project where I have to work with two providers and I've tried different ways to do so, but for some reason, my service is throwing 401 Verification key is unresolvable

quarkus.oidc.test.auth-server-url=https://URL/realms/MY_REALM
quarkus.oidc.test.client-id=***
quarkus.oidc.test.credentials.secret=***
quarkus.oidc.test.token.required-claims.realm_access.roles=***
quarkus.oidc.test.token.audience=**

Expected behavior

token should be validate

Actual behavior

401 - Verification key is unresolvable

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

17

Quarkus version or git rev

3.2.9.Final

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

2024-06-21 15:08:24,595 Tenant:[] DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-2) SRJWT08019: AuthContextInfo is: JWTAuthContextInfo{publicVerificationKey=null, secretVerificationKey=null, privateDecryptionKey=null, secretDecryptionKey=null, issuedBy='null', expGracePeriodSecs=0, maxTimeToLiveSecs=-1, tokenAge=null, publicKeyLocation='null', publicKeyContent='null', decryptionKeyLocation='null', decryptionKeyContent='null', jwksRefreshInterval=60, tokenHeader='Authorization', tokenCookie='null', alwaysCheckAuthorization=false, tokenKeyId='null', tokenDecryptionKeyId='null', tokenSchemes=[Bearer], requireNamedPrincipal=true, defaultSubClaim='null', subPath='user_name', defaultGroupsClaim='null', groupsPath='authorities', signatureAlgorithm=RS256, keyEncryptionAlgorithm=[RSA_OAEP, RSA_OAEP_256], keyFormat=ANY, keyProvider=DEFAULT, keyCacheSize=100, keyCacheTimeToLive=10, expectedAudience=null, groupsSeparator=' ', relaxVerificationKeyValidation=true, verifyCertificateThumbprint=false, tlsCertificatePath=null, tlsTrustAll=false, tlsTrustedHosts=null, httpProxyHost=null, httpProxyPort=80}
2024-06-21 15:08:24,599 Tenant:[] DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-2) SRJWT08005: Verification key is unresolvable

[sberyozkin]

@crawer Hi, looks like you are using quarkus-smallrye-jwt while the configuration above lists quarkus-oidc properties.

Since you have to support 2 providers, I suggest dropping a quarkus-smallrye-jwt dependency and see what happens.
It will be hard to recommend something more specific without a reproducer

[crawer]

@sberyozkin thank you for your time.

I will do that again, by using the oidc is it possible to validate a token that doesn't have a iss in it?

[sberyozkin]

@crawer Np, this option was added starting from 3.9.0: 4d825af

So if you can, please migrate to 3.9.0 or later

If you must stay on 3.2.x and say, you'd like to use quarkus-smallrye-jwt for one provider, and quarkus-oidc - for another one, then you need to use path based authentication: https://quarkus.io/guides/security-authentication-mechanisms#use-http-security-policy-to-enable-path-based-authentication (HTTP security configuration option only in 3.2.x).

If a migration to 3.9.0 is an option then it would certainly be easier with quarkus.oidc

[crawer]

I like the idea of using both.

I am going to try that one because one of the tokens doesn't has the ISS to be used

{ "user_name": "backend_user", "scope": [ "read", "write" ], "exp": 1718981077, "uuid": "662ad0eb-7a98-4fc2-9bc8-986fae94c205", "authorities": [ "" ], "jti": "lyGRrWQNVLwVBNTD-nVKZ4-P95g", "client_id": "" }

and the other one has the issue to be compared.

[sberyozkin]

Hi @crawer Let me convert this issue to Discussion, as I believe there is no actual bug here. Ping me in the Discussion thread for more info please, thanks

[crawer]

Hello @sberyozkin it worked fine when I removed the smallrye dependency from my project. Thank you for the tip.

[crawer]

The only thing left is that we need to check the token without the iss, is that possible to use the OIDC with another mechanism of bearer validation?

[sberyozkin]

@crawer Sure, I linked above to 4d825af, but it is only supported for quarkus-oidc starting from 3.9.0