router icon indicating copy to clipboard operation
router copied to clipboard

Published 20 hours ago • verified publisher icon apollographql

JWT authentication on different domains with matching keys fails with error

Open Cameronjmayfield opened this issue 9 months ago • 3 comments

Describe the bug

JWT authentication on different domains with matching keys fails with error:

{
	"errors": [
		{
			"message": "Invalid issuer: the token's `iss` was 'DOMAIN_ONE', but signed with a key from 'DOMAIN_TWO'",
			"extensions": {
				"code": "AUTH_ERROR"
			}
		}
	]
}

To Reproduce

Steps to reproduce the behavior:

  1. Run identical auth service behind two different domains
  2. Submit authenticated request
  3. See error

Expected behavior

A router running with multiple JWT auth services should support multiple domains with the same keys.

Output

Desktop (please complete the following information):

  • OS: Mac 14.5
  • Version: Rover 0.26.3, Router v1.59.2

Additional context

Cameronjmayfield avatar Feb 06 '25 00:02 Cameronjmayfield

I believe this should provide a solve for this issue, no?

https://github.com/apollographql/router/pull/6887

theJC avatar Mar 09 '25 06:03 theJC

@Cameronjmayfield -- At Indeed, with the above change released in Router 2.2.0 addressed the similar problem we have in some of our non-PROD environments requiring a JWKS that is used/supports multiple issuers. Hopefully this addresses your issue as well and you are able to close out this issue as well?

theJC avatar May 04 '25 04:05 theJC

The fix we had to apply was to specify the issuer in the configuration as well as the url. Before, we only specified the urls. This can be closed, but that is what was required for us.

Cameronjmayfield avatar May 04 '25 05:05 Cameronjmayfield