We keep getting this error. Can anyone point us in the right direction?
Token endpoint error: {“error_description”:“JWT is not valid”,“error”:“invalid_client”}
Stack: at Cis2AuthService.ExchangeCodeForTokenObject(String code) in d:\HostingSpace\istaffrota_UATNew\App_Code\Cis2AuthService.cs:line 69 at VisionIntel.IStaffRota.WebApp.cis2.Cis2Callback.Page_Load(Object sender, EventArgs e) in d:\HostingSpace\istaffrota_UATNew\cis2\Cis2Callback.aspx.cs:line 59
Assuming you are calling the CIS2 Auth token endpoint we would need more details of the request to find the error log entry. However, this is generally caused by invalid config on your side.
The is likely due to the JWKS endpoint is not valid, not accessible or returning the invalid keys - it has to be discoverable and visible over the internet. Check for bad characters, commas, etc in your JWKS file, ensure the right KID is being used and that the key is valid
Hi John,
Thanks for your reply
As requested, please find below the RSA key configuration along with the endpoint URL for the token used in our code, along with this attachment here: https://drive.google.com/file/d/1kFv4R-aMdJ_mIYyT-SFnfWx5elDbphCu/view?usp=sharing
Key Configuration (JWKS):
{
“keys”: [
{
"kty": "RSA",
"use": "sig",
"kid": "cis2",
"alg": "RS512",
"n": "8F210CC032CAC5DEFD46BAFFB7580BBF040A9A0AD56B0B211EBA4EA0BF61ABC524AEB8CBAEEA65AA8613679D32213A2DC89934C44860056DC6E11EA5C02157DA741DEFA97A4C84F2E3AC24C0D9D544DE5F4B4E2EF75FDE020FBB4E22D8EDF019B3F8401B75C7AEB2017651B78750B72F51D40AA2900B5FB23B3D5E2B13503D103A3239B6C57D4F4661D160C691CFEEDD56030B56E837E20760BE12C67F1544ABE633463BCDB60810B6BE6D212E4E78E24B411CE1493E02460B9838F0EE74B1A7FF115774F12F3FF6DF1DADF530196C35F9FF8DA62FA0497CA5718ADDA1FF01333958BB1522216579B119F55269DB5D41EDC456504CA2258426D1DEB9F7AA2FD8E275CB9AD0A549A259262569D0421E31E3BE7D06E2E8282DBE7F21E4375582CCA9012E7220200000E056207549D75481113222249293588F6BD97F9286A4186D7929E4A75E4C40164A5E681020A3EE21BB00C35942820BDA66F9C7EF4FFB3E7AB0069E4A0A1DF2FEDFE9A5C7E10EB73AA7CE0C16CB5F06A90F0D96F9F3AAA914AD316498A3E54A9A92A8AB4E343B17E6043FF3796F4CFC4BFA259CC689B393F2CAF16F89D8B1013E57F2E529E894A7AAB5DAF2992516E3D08E313E6B880D0067DDAD684D4295A96F5303AA019C1ECD6E4A562C38D9711D6EF40D1C98496ACBBA92D61FFD5B40603FC201E9B478672A149D49045D85E4365082E87853C0AAE3C3",
"e": "AQAB"
}
]
}
Endpoint URL:
Thanks for that. Firstly and most importantly, you have included passwords and secrets in the linked file - please replace those in your code and delete the zip file.
Secondly the issue is that the JWKS file appears to be UTF-8 and has a BOM (Byte Order Marker) at the start which is not recognised (0xef, 0xbb,0xbf) , please upload a vanilla text file without the BOM.
For reference UTF-8 using a BOM is not mandatory
Thanks for the advice. Deleted now. on the rest, we will try and let you know the outcome.
Please see this file:
That still has the BOM - you can see it if you view the file in Hex. ensure the app used to save the file isn’t using UTF-8 and/or the BOM is disabled
Hi John,
I am informed that this is also available here: url https://uat.istaffrota.com/.well-known/jwks.json. is that sufficient?
But here is a new version of the file also:
{
“keys”: [
{
“kty”: “RSA”,
“use”: “sig”,
“kid”: “cis2”,
“alg”: “RS512”,
“n”: “8F210CC032CAC5DEFD46BAFFB7580BBF040A9A0AD56B0B211EBA4EA0BF61ABC524AEB8CBAEEA65AA8613679D32213A2DC89934C44860056DC6E11EA5C02157DA741DEFA97A4C84F2E3AC24C0D9D544DE5F4B4E2EF75FDE020FBB4E22D8EDF019B3F8401B75C7AEB2017651B78750B72F51D40AA2900B5FB23B3D5E2B13503D103A3239B6C57D4F4661D160C691CFEEDD56030B56E837E20760BE12C67F1544ABE633463BCDB60810B6BE6D212E4E78E24B411CE1493E02460B9838F0EE74B1A7FF115774F12F3FF6DF1DADF530196C35F9FF8DA62FA0497CA5718ADDA1FF01333958BB1522216579B119F55269DB5D41EDC456504CA2258426D1DEB9F7AA2FD8E275CB9AD0A549A259262569D0421E31E3BE7D06E2E8282DBE7F21E4375582CCA9012E7220200000E056207549D75481113222249293588F6BD97F9286A4186D7929E4A75E4C40164A5E681020A3EE21BB00C35942820BDA66F9C7EF4FFB3E7AB0069E4A0A1DF2FEDFE9A5C7E10EB73AA7CE0C16CB5F06A90F0D96F9F3AAA914AD316498A3E54A9A92A8AB4E343B17E6043FF3796F4CFC4BFA259CC689B393F2CAF16F89D8B1013E57F2E529E894A7AAB5DAF2992516E3D08E313E6B880D0067DDAD684D4295A96F5303AA019C1ECD6E4A562C38D9711D6EF40D1C98496ACBBA92D61FFD5B40603FC201E9B478672A149D49045D85E4365082E87853C0AAE3C3”,
“e”: “AQAB”
}
]
}
The location doesn’t matter, it is the content - it will work as expected when the BOM is removed from the start of the file. The above is still incorrect (there are 3 hidden characters in the actual file)
Hi John,
the latest file sent does not seem to have a BOM in it, is it not the fact that if it start with 7B, then it does not have a bom. developers are out for the day, but saved this file as UTF-8… Would this work?
hi John, the developers have started this morning.
this file was tried
but we still get this error. where could we go wrong please?
Returned state: ……
CIS2 Authentication Error:
Token endpoint error: {“error_description”:“JWT is not valid”,“error”:“invalid_client”}
Stack: at Cis2AuthService.ExchangeCodeForTokenObject(String code) in d:\HostingSpace\istaffrota_UATNew\App_Code\Cis2AuthService.cs:line 69 at VisionIntel.IStaffRota.WebApp.cis2.Cis2Callback.Page_Load(Object sender, EventArgs e) in d:\HostingSpace\istaffrota_UATNew\cis2\Cis2Callback.aspx.cs:line 59
The signature is invalid given the above key - You can use https://JWT.io to test your assertion value using the your public key in the JWKS file. When I place the current key and your last assertion (as of 8:12 this morning) it fails validation. I’d suspect the key used to sign the token is different to the public key. Note if you change the key value you need to change the kid in line with any rotation - We will cache the key for a period of time and only will only fetch it if we don’t recognise the kid
Hi John,
we are really not having any luck here.
token : eyJhbGciOiJSUzUxMiIsImtpZCI6ImNpczIiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI3MTQ0NzE0NzEzLndlYmZvcm1zX2NpczJfYXBwLjdjOTg0OWRlLTY1ZTQtNDdjOS1hOGQ2LWEyOTY4NjM4MzcwYi5hcHBzIiwianRpIjoiMTVhNWMyNjUtMWQ1Yi00YWFiLWI0NTAtMmMzZWMxZmU2ZTJmIiwiaWF0IjoxNzc0NDUxNDE0LCJleHAiOjE3NzQ0NTE3MTQsImlzcyI6IjcxNDQ3MTQ3MTMud2ViZm9ybXNfY2lzMl9hcHAuN2M5ODQ5ZGUtNjVlNC00N2M5LWE4ZDYtYTI5Njg2MzgzNzBiLmFwcHMiLCJhdWQiOiJodHRwczovL2FtLm5oc2ludC5hdXRoLXB0bC5jaXMyLnNwaW5lc2VydmljZXMubmhzLnVrL29wZW5hbS9vYXV0aDIvcmVhbG1zL3Jvb3QvcmVhbG1zL05IU0lkZW50aXR5L3JlYWxtcy9IZWFsdGhjYXJlL2FjY2Vzc190b2tlbiJ9.hT3FCLU4tVJpdv1ysXI0-PNpK8Ig9x9o7RbpI9n-QvWXzTFX3lsZc12HOnxVpLPiER-ZgIsrwtoiFMlD4o0oqqCq6VVBFv5qWbpT8z0CKtX-dVjR-ZQWMqGDWYo8cZuWI_fmh2i_iyE2zSAkSE39TaD1Ig2GiiTexjRXAGpIBPvzqf2Mtv4WjJLfU8Ok2amZ0pWneTMzKTtvzMjzJF_2hiBy8A849XW-iW6shpBIkDKq72y3PN7G7J4RKMdegueywuwN8e8gbjHBhhF5EBoCZLW__W7ronjKhDo-4pKisNY_Zcj_d_qqQOyQH7HJ5ZS2gxLt1-bk7n3Pqtq-NBi7TBIJhgSiLuVcDlpIgArAjpFHXxbSxBGl5cUKurFf99aQElpoICOnd-ghhn9m3f6lEfESCvJUST2JwtVLlJe1xAND97nT72UT3gKCrsAZN5ckGBoiTb-TnaMkLvUvDG4IzHDAQhvz0puPoT7GRtIFOrW2lsuz2JRB1a6WGjCUUMpBpkL2_cGElwAjUZDI4xPSymz0qwKPyMiwEbsUrzpm_DWgBIgInsYrrzsnKyL7IpP79WRdLspLa-1KrCT6LwcDotxcj6uCMkHNfypRtDrfd3I_kwPBIOOrQ-u6Gj6vQIs9369P3dVpm39TiDSu1KgZkoMN0i78qNSgeR8r-Hut9fI
jwks :
{“kty”:“RSA”,“use”:“sig”,“kid”:“cis2”,“alg”:“RS512”,“n”:“jyEMwDLKxd79Rrr_t1gLvwQKmgrVawshHrpOoL9hq8UkrrjLruplqoYTZ50yITotyJk0xEhgBW3G4R6lwCFX2nQd76l6TITy46wkwNnVRN5fS04u91_eAg-7TiLY7fAZs_hAG3XHrrIBdlG3h1C3L1HUCqKQC1-yOz1eKxNQPRA6Mjm2xX1PRmHRYMaRz-7dVgMLVug34gdgvhLGfxVEq-YzRjvNtggQtr5tIS5OeOJLQRzhST4CRguYOPDudLGn_xFXdPEvP_bfHa31MBlsNfn_jaYvoEl8pXGK3aH_ATM5WLsVIiFlebEZ9VJp211B7cRWUEyiJYQm0d6596ov2OJ1y5rQpUmiWSYladBCHjHjvn0G4ugoLb5_IeQ3VYLMqQEuciAgAADgViB1SddUgREyIiSSk1iPa9l_koakGG15KeSnXkxAFkpeaBAgo-4huwDDWUKCC9pm-cfvT_s-erAGnkoKHfL-3-mlx-EOtzqnzgwWy18GqQ8NlvnzqqkUrTFkmKPlSpqSqKtONDsX5gQ_83lvTPxL-iWcxomzk_LK8W-J2LEBPlfy5SnolKeqtdrymSUW49COMT5riA0AZ92taE1ClalvUwOqAZwezW5KViw42XEdbvQNHJhJasu6ktYf_VtAYD_CAem0eGcqFJ1JBF2F5DZQguh4U8Cq48M”,“e”:“AQAB”}
everything seems valid we are getting the same error, at some point we got this error: Token endpoint error: {“error_description”:“Invalid JWT audience”,“error”:“invalid_client”}
The audience is incorrect as the error implies - it has to exactly match our docs and implementation - which unfortunately means it needs the :443 adding to specify the port
Hi John, to avoid further confusion on our part, can you please repost that link here in case we may not be following that documentation?
Our troubleshooting page covers all the above (and more)
Similarly our initial implementation page state exactly what is required:
I would ensure you’ve read those and the other developer guidance pages in full
Hi John,
It would appear the team has made some progress, but now we are getting this error try to redirect to the correct page. Any advice please?
Returned state: 396d7f9980654245a23ddc2410636e8dCookie state: [396d7f9980654245a23ddc2410636e8d]
CIS2 Authentication Error:
Authentication not recent.
Stack: at VisionIntel.IStaffRota.WebApp.cis2.Cis2Callback.Page_Load(Object sender, EventArgs e) in d:\HostingSpace\istaffrota_UATNew\cis2\Cis2Callback.aspx.cs:line 129
Hi Andre, that looks like your internal code so I can’t comment - given the error it looks like you are checking the auth_time - ensure your clocks are synced and you have a small grace period to allow for clock-skew - again please refer to the docs above for guidance
Hi John,
We seem to have resolved all CIS2 issues but we are struggling with a redirect issue, and it could be you have come across this with other companies. We are here at the last stage that says ‘display home page’, but it does not seem to recognise the user that is already logged in.
Source Error:
Line 177: //lblStatus.Text = currentUserId;
Line 178: lblStatus.Text = “Authentication successful. Redirecting…”;
Line 179:string userId = Request.Cookies[“currentUserId”]?.Value;
Line 180:string companyId = Request.Cookies[“companyId”]?.Value;
Line 181:
Has anyone come across it and any ideas you could help us with please? here is our line of code:
I can’t comment on your internal code, but you appear to be trying to get the user ID, etc from a cookie? They are returned by CIS2 Auth within the ID_TOKEN - how you use them is an implementation issue for your developers - but I would suggest you aren’t capturing the information properly
