We keep getting this error. Can anyone point us in the right direction?
Token endpoint error: {“error_description”:“JWT is not valid”,“error”:“invalid_client”}
Stack: at Cis2AuthService.ExchangeCodeForTokenObject(String code) in d:\HostingSpace\istaffrota_UATNew\App_Code\Cis2AuthService.cs:line 69 at VisionIntel.IStaffRota.WebApp.cis2.Cis2Callback.Page_Load(Object sender, EventArgs e) in d:\HostingSpace\istaffrota_UATNew\cis2\Cis2Callback.aspx.cs:line 59
Assuming you are calling the CIS2 Auth token endpoint we would need more details of the request to find the error log entry. However, this is generally caused by invalid config on your side.
The is likely due to the JWKS endpoint is not valid, not accessible or returning the invalid keys - it has to be discoverable and visible over the internet. Check for bad characters, commas, etc in your JWKS file, ensure the right KID is being used and that the key is valid
Hi John,
Thanks for your reply
As requested, please find below the RSA key configuration along with the endpoint URL for the token used in our code, along with this attachment here: https://drive.google.com/file/d/1kFv4R-aMdJ_mIYyT-SFnfWx5elDbphCu/view?usp=sharing
Key Configuration (JWKS):
{
“keys”: [
{
"kty": "RSA",
"use": "sig",
"kid": "cis2",
"alg": "RS512",
"n": "8F210CC032CAC5DEFD46BAFFB7580BBF040A9A0AD56B0B211EBA4EA0BF61ABC524AEB8CBAEEA65AA8613679D32213A2DC89934C44860056DC6E11EA5C02157DA741DEFA97A4C84F2E3AC24C0D9D544DE5F4B4E2EF75FDE020FBB4E22D8EDF019B3F8401B75C7AEB2017651B78750B72F51D40AA2900B5FB23B3D5E2B13503D103A3239B6C57D4F4661D160C691CFEEDD56030B56E837E20760BE12C67F1544ABE633463BCDB60810B6BE6D212E4E78E24B411CE1493E02460B9838F0EE74B1A7FF115774F12F3FF6DF1DADF530196C35F9FF8DA62FA0497CA5718ADDA1FF01333958BB1522216579B119F55269DB5D41EDC456504CA2258426D1DEB9F7AA2FD8E275CB9AD0A549A259262569D0421E31E3BE7D06E2E8282DBE7F21E4375582CCA9012E7220200000E056207549D75481113222249293588F6BD97F9286A4186D7929E4A75E4C40164A5E681020A3EE21BB00C35942820BDA66F9C7EF4FFB3E7AB0069E4A0A1DF2FEDFE9A5C7E10EB73AA7CE0C16CB5F06A90F0D96F9F3AAA914AD316498A3E54A9A92A8AB4E343B17E6043FF3796F4CFC4BFA259CC689B393F2CAF16F89D8B1013E57F2E529E894A7AAB5DAF2992516E3D08E313E6B880D0067DDAD684D4295A96F5303AA019C1ECD6E4A562C38D9711D6EF40D1C98496ACBBA92D61FFD5B40603FC201E9B478672A149D49045D85E4365082E87853C0AAE3C3",
"e": "AQAB"
}
]
}
Endpoint URL:
Thanks for that. Firstly and most importantly, you have included passwords and secrets in the linked file - please replace those in your code and delete the zip file.
Secondly the issue is that the JWKS file appears to be UTF-8 and has a BOM (Byte Order Marker) at the start which is not recognised (0xef, 0xbb,0xbf) , please upload a vanilla text file without the BOM.
For reference UTF-8 using a BOM is not mandatory
Thanks for the advice. Deleted now. on the rest, we will try and let you know the outcome.
Please see this file:
That still has the BOM - you can see it if you view the file in Hex. ensure the app used to save the file isn’t using UTF-8 and/or the BOM is disabled
Hi John,
I am informed that this is also available here: url https://uat.istaffrota.com/.well-known/jwks.json. is that sufficient?
But here is a new version of the file also:
{
“keys”: [
{
“kty”: “RSA”,
“use”: “sig”,
“kid”: “cis2”,
“alg”: “RS512”,
“n”: “8F210CC032CAC5DEFD46BAFFB7580BBF040A9A0AD56B0B211EBA4EA0BF61ABC524AEB8CBAEEA65AA8613679D32213A2DC89934C44860056DC6E11EA5C02157DA741DEFA97A4C84F2E3AC24C0D9D544DE5F4B4E2EF75FDE020FBB4E22D8EDF019B3F8401B75C7AEB2017651B78750B72F51D40AA2900B5FB23B3D5E2B13503D103A3239B6C57D4F4661D160C691CFEEDD56030B56E837E20760BE12C67F1544ABE633463BCDB60810B6BE6D212E4E78E24B411CE1493E02460B9838F0EE74B1A7FF115774F12F3FF6DF1DADF530196C35F9FF8DA62FA0497CA5718ADDA1FF01333958BB1522216579B119F55269DB5D41EDC456504CA2258426D1DEB9F7AA2FD8E275CB9AD0A549A259262569D0421E31E3BE7D06E2E8282DBE7F21E4375582CCA9012E7220200000E056207549D75481113222249293588F6BD97F9286A4186D7929E4A75E4C40164A5E681020A3EE21BB00C35942820BDA66F9C7EF4FFB3E7AB0069E4A0A1DF2FEDFE9A5C7E10EB73AA7CE0C16CB5F06A90F0D96F9F3AAA914AD316498A3E54A9A92A8AB4E343B17E6043FF3796F4CFC4BFA259CC689B393F2CAF16F89D8B1013E57F2E529E894A7AAB5DAF2992516E3D08E313E6B880D0067DDAD684D4295A96F5303AA019C1ECD6E4A562C38D9711D6EF40D1C98496ACBBA92D61FFD5B40603FC201E9B478672A149D49045D85E4365082E87853C0AAE3C3”,
“e”: “AQAB”
}
]
}
The location doesn’t matter, it is the content - it will work as expected when the BOM is removed from the start of the file. The above is still incorrect (there are 3 hidden characters in the actual file)
Hi John,
the latest file sent does not seem to have a BOM in it, is it not the fact that if it start with 7B, then it does not have a bom. developers are out for the day, but saved this file as UTF-8… Would this work?
hi John, the developers have started this morning.
this file was tried
but we still get this error. where could we go wrong please?
Returned state: ……
CIS2 Authentication Error:
Token endpoint error: {“error_description”:“JWT is not valid”,“error”:“invalid_client”}
Stack: at Cis2AuthService.ExchangeCodeForTokenObject(String code) in d:\HostingSpace\istaffrota_UATNew\App_Code\Cis2AuthService.cs:line 69 at VisionIntel.IStaffRota.WebApp.cis2.Cis2Callback.Page_Load(Object sender, EventArgs e) in d:\HostingSpace\istaffrota_UATNew\cis2\Cis2Callback.aspx.cs:line 59
The signature is invalid given the above key - You can use https://JWT.io to test your assertion value using the your public key in the JWKS file. When I place the current key and your last assertion (as of 8:12 this morning) it fails validation. I’d suspect the key used to sign the token is different to the public key. Note if you change the key value you need to change the kid in line with any rotation - We will cache the key for a period of time and only will only fetch it if we don’t recognise the kid
Hi John,
we are really not having any luck here.
token : eyJhbGciOiJSUzUxMiIsImtpZCI6ImNpczIiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI3MTQ0NzE0NzEzLndlYmZvcm1zX2NpczJfYXBwLjdjOTg0OWRlLTY1ZTQtNDdjOS1hOGQ2LWEyOTY4NjM4MzcwYi5hcHBzIiwianRpIjoiMTVhNWMyNjUtMWQ1Yi00YWFiLWI0NTAtMmMzZWMxZmU2ZTJmIiwiaWF0IjoxNzc0NDUxNDE0LCJleHAiOjE3NzQ0NTE3MTQsImlzcyI6IjcxNDQ3MTQ3MTMud2ViZm9ybXNfY2lzMl9hcHAuN2M5ODQ5ZGUtNjVlNC00N2M5LWE4ZDYtYTI5Njg2MzgzNzBiLmFwcHMiLCJhdWQiOiJodHRwczovL2FtLm5oc2ludC5hdXRoLXB0bC5jaXMyLnNwaW5lc2VydmljZXMubmhzLnVrL29wZW5hbS9vYXV0aDIvcmVhbG1zL3Jvb3QvcmVhbG1zL05IU0lkZW50aXR5L3JlYWxtcy9IZWFsdGhjYXJlL2FjY2Vzc190b2tlbiJ9.hT3FCLU4tVJpdv1ysXI0-PNpK8Ig9x9o7RbpI9n-QvWXzTFX3lsZc12HOnxVpLPiER-ZgIsrwtoiFMlD4o0oqqCq6VVBFv5qWbpT8z0CKtX-dVjR-ZQWMqGDWYo8cZuWI_fmh2i_iyE2zSAkSE39TaD1Ig2GiiTexjRXAGpIBPvzqf2Mtv4WjJLfU8Ok2amZ0pWneTMzKTtvzMjzJF_2hiBy8A849XW-iW6shpBIkDKq72y3PN7G7J4RKMdegueywuwN8e8gbjHBhhF5EBoCZLW__W7ronjKhDo-4pKisNY_Zcj_d_qqQOyQH7HJ5ZS2gxLt1-bk7n3Pqtq-NBi7TBIJhgSiLuVcDlpIgArAjpFHXxbSxBGl5cUKurFf99aQElpoICOnd-ghhn9m3f6lEfESCvJUST2JwtVLlJe1xAND97nT72UT3gKCrsAZN5ckGBoiTb-TnaMkLvUvDG4IzHDAQhvz0puPoT7GRtIFOrW2lsuz2JRB1a6WGjCUUMpBpkL2_cGElwAjUZDI4xPSymz0qwKPyMiwEbsUrzpm_DWgBIgInsYrrzsnKyL7IpP79WRdLspLa-1KrCT6LwcDotxcj6uCMkHNfypRtDrfd3I_kwPBIOOrQ-u6Gj6vQIs9369P3dVpm39TiDSu1KgZkoMN0i78qNSgeR8r-Hut9fI
jwks :
{“kty”:“RSA”,“use”:“sig”,“kid”:“cis2”,“alg”:“RS512”,“n”:“jyEMwDLKxd79Rrr_t1gLvwQKmgrVawshHrpOoL9hq8UkrrjLruplqoYTZ50yITotyJk0xEhgBW3G4R6lwCFX2nQd76l6TITy46wkwNnVRN5fS04u91_eAg-7TiLY7fAZs_hAG3XHrrIBdlG3h1C3L1HUCqKQC1-yOz1eKxNQPRA6Mjm2xX1PRmHRYMaRz-7dVgMLVug34gdgvhLGfxVEq-YzRjvNtggQtr5tIS5OeOJLQRzhST4CRguYOPDudLGn_xFXdPEvP_bfHa31MBlsNfn_jaYvoEl8pXGK3aH_ATM5WLsVIiFlebEZ9VJp211B7cRWUEyiJYQm0d6596ov2OJ1y5rQpUmiWSYladBCHjHjvn0G4ugoLb5_IeQ3VYLMqQEuciAgAADgViB1SddUgREyIiSSk1iPa9l_koakGG15KeSnXkxAFkpeaBAgo-4huwDDWUKCC9pm-cfvT_s-erAGnkoKHfL-3-mlx-EOtzqnzgwWy18GqQ8NlvnzqqkUrTFkmKPlSpqSqKtONDsX5gQ_83lvTPxL-iWcxomzk_LK8W-J2LEBPlfy5SnolKeqtdrymSUW49COMT5riA0AZ92taE1ClalvUwOqAZwezW5KViw42XEdbvQNHJhJasu6ktYf_VtAYD_CAem0eGcqFJ1JBF2F5DZQguh4U8Cq48M”,“e”:“AQAB”}
everything seems valid we are getting the same error, at some point we got this error: Token endpoint error: {“error_description”:“Invalid JWT audience”,“error”:“invalid_client”}
