get-jwks icon indicating copy to clipboard operation
get-jwks copied to clipboard

Published 20 hours ago verified publisher icon nearform

JWKS Retrieval Fails in Latest Version Despite Unchanged Request Data

Open saisankar428 opened this issue 9 months ago • 3 comments

After upgrading to the latest version of get-jwks, we noticed that JWKS retrieval is failing, even though the request data (including kid, domain, and alg) remains unchanged from the previous working version. The older version successfully fetches the JWKS, but the latest version throws an error or returns an unexpected response. This suggests a possible regression in the library.

We have verified that the request payload is identical between versions and checked for any missing headers or required configurations. However, the root cause remains unclear. Could you please investigate this issue?

saisankar428 avatar Feb 17 '25 05:02 saisankar428

Can you provide a repro?

simoneb avatar Feb 17 '25 21:02 simoneb 

import type { TokenOrHeader } from '@fastify/jwt';
import fastifyJWT from '@fastify/jwt';
import config from 'config';
import type { FastifyInstance, FastifyRequest } from 'fastify';
import fp from 'fastify-plugin';
import buildGetJwks from 'get-jwks';
import https from 'node:https';

import logger from '@util/logger';

interface Options {
  addRequestHook?: boolean;
}

function securityPlugin(fastify: FastifyInstance, { addRequestHook = true }: Options = {}) {
  fastify.log.info('Plugin: Security');

  const getJwks = buildGetJwks({
    providerDiscovery: true,
    // Force IPv4 dns resolution
    agent: new https.Agent({ family: 4 }),
  });

  fastify.register(fastifyJWT, {
    secret: (_: FastifyRequest, token: TokenOrHeader) => {
      if ('payload' in token) {
        const { header, payload } = token;

        return getJwks.getPublicKey({ kid: header.kid, domain: payload.iss, alg: header.alg });**// this is where we are getting error**
      }

      throw Error('Expected a decoded token with payload');
    },
    verify: {
      allowedAud: config.get<string>('auth.audience'),
      allowedIss: config.get<string[]>('auth.issuer'),
    },
    decode: { complete: true },
    formatUser(payload) {
      return {
       sampleId: payload.sampleid,
      };
    },
  });

  if (addRequestHook) {
    fastify.addHook('onRequest', async request => {
      fastify.log.info('Validate request with JWT verification');
      try {
        await request.jwtVerify();
      } catch (err) {
        logger().error(err);
        throw err;
      }
    });
  }

  return fastify;
}

export default fp(securityPlugin);

saisankar428 avatar Feb 21 '25 13:02 saisankar428

@saisankar428 this is not a reproducible repro I'm afraid, as we can't just run this code and see the issue. Please provide a minimal reproducible repro. See https://stackoverflow.com/help/minimal-reproducible-example

simoneb avatar Feb 21 '25 15:02 simoneb

@saisankar428 We were looking to pick this issue up but to do so we need a minimal reproducible example as @simoneb mentioned above. Also we are missing some critical information such as the version you were using that works, the version that you upgraded to (assume it's v11?) and also the error that you are experiencing?

agubler avatar Mar 31 '25 12:03 agubler

Sure, will share you the required details in couple of days.

Thanks , Sai Sankar Grandhi. On Mon, 31 Mar 2025 at 6:13 PM, Anthony Gubler @.***> wrote:

@saisankar428 https://github.com/saisankar428 We were looking to pick this issue up but to do so we need a minimal reproducible example as @simoneb https://github.com/simoneb mentioned above. Also we are missing some critical information such as the version you were using that works, the version that you upgraded to (assume it's v11?) and also the error that you are experiencing?

— Reply to this email directly, view it on GitHub https://github.com/nearform/get-jwks/issues/336#issuecomment-2766111608, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFN5EZGZSAPLFJ7HLW662232XEZ65AVCNFSM6AAAAABXIPV3BGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRWGEYTCNRQHA . You are receiving this because you were mentioned.Message ID: @.***> [image: agubler]agubler left a comment (nearform/get-jwks#336) https://github.com/nearform/get-jwks/issues/336#issuecomment-2766111608

@saisankar428 https://github.com/saisankar428 We were looking to pick this issue up but to do so we need a minimal reproducible example as @simoneb https://github.com/simoneb mentioned above. Also we are missing some critical information such as the version you were using that works, the version that you upgraded to (assume it's v11?) and also the error that you are experiencing?

— Reply to this email directly, view it on GitHub https://github.com/nearform/get-jwks/issues/336#issuecomment-2766111608, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFN5EZGZSAPLFJ7HLW662232XEZ65AVCNFSM6AAAAABXIPV3BGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONRWGEYTCNRQHA . You are receiving this because you were mentioned.Message ID: @.***>

saisankar428 avatar Mar 31 '25 12:03 saisankar428

Closing due to lack of activity. Please create a new issue.

simoneb avatar Apr 14 '25 15:04 simoneb