oauth2 use jwkus_url get keys, to login report key_not_found

[hakimhjx]

Describe the bug

use jwks_url login report key_not_found,but use signing_keys login is success.
if use jwks_url set key , What is the value of kid?

JWT

const header = {
    "alg": "RS256",
    "kid":"aaa",
    "typ": "JWT"
}
const timestamp = Math.floor(new Date().getTime() / 1000)
const payload={
    "aud":[
        "rabbitmq"
    ],
    "issue": "123123123",
    "user_id": "123123",
    "user_name": "test",
    "scope":[
        "app"
    ],
    "exp": timestamp + (60*10),
    "authorities":[
        "admin",
        "read:*/*"
    ],
    "jti":"121312-312-31-3-13",
    "client_id":"app",
    "sub": "app",
    "type": "rabbitmq"
}

jwks.json

{"key":[{"kty":"RSA","e":"AQAB","kid":"aaa","use":"sig","alg":"RS256","n":"asfasdqwe124eafqweqweasf","value":"key"}]}`

#### advanced.config

``` erlang
[
  { rabbit,[
    {auth_backends,[rabbit_auth_backend_internal,rabbit_auth_backend_oauth2]}
  ]},
  {rabbitmq_auth_backend_oauth2,[
    {resource_server_id, <<"rabbitmq">>},
    { extra_scopes_source, << "authorities" >>},
    { key_config, [
      {default_key, <<"aaa">>},
      {jwks_url, <<"jwksurl">> }
%%      {signing_keys, #{
%%        <<"aaa">> => {pem, <<"public key">>}
%%    }}
    ]}
  ]}
].

Reproduction steps

1. enable rabbitmq oauth2 plugins
2. set advanced.config
3. use jwks_url
4. generate jwt
5. login

Expected behavior

login success

Additional context

No response

[hakimhjx]

rabbit version is RabbitMQ 3.12.8, use docker deploy, image: rabbitmq:latest

[michaelklishin]

@hakimhjx sorry the reproduction steps are inadequate. Troubleshooting OAuth 2 always comes down to minor details. With a description like this, we'd have to guess as to what you are trying to achieve. And we do not guess in this community.

[michaelklishin]

@MarcialRosales perhaps you understand the intent and what the question is?

[MarcialRosales]

@hakimhjx , The value of kid is so that RabbitMQ can lookup the appropriate signing key to validate the token (https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/README.md#understanding-access-tokens-and-how-rabbitmq-uses-it). Every token must carry a kid in the header, as you have it on yours with the value aaa.

It could be that the jwks_url you are using does not point to the endpoint that returns the signing keys and that is why RabbitMQ cannot find it. Which oauth provider are you using?
Maybe this tutorial on using keycloak as oauth provider helps you: https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/use-cases/keycloak.md

I recommend that you enable debug logging in RabbitMQ. It can help you troubleshoot the issue. But I can tell you that if it works when you configure the signing_keys then the issue has to do with the actual jwks_url or the endpoint.