Issuing Signature failed tokens
-
Hi FusionAuth team, FA API has a weird behaviour when issuing JWT tokens.
Error example:
Firebase\JWT\SignatureInvalidException: Signature verification failed in /vendor/firebase/php-jwt/src/JWT.php:141The setup is working well, but from time to time FA can generate an invalid access token. It happened 5 times over the weekend - rarely, but it does.
I use elliptic certificates, customers and guest JWT tokens and both were affected.
For the customers - I use lambda to fill custom claims, but for the guest - I use vend endpoint - so it's not related to the way to issue it.
Could you help me with it?
The invalid guest token:eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Il9YZkZkRUlwN24yTEdkcVJjUGdtQVcxM1NMWSJ9.eyJleHAiOjE2ODgzNjg3ODEsImlhdCI6MTY1NjgxMTg0MSwianRpIjoiNGE1ODNjZDMtZDllZS00ZjExLWE3M2YtYTJkOTk5YzNmNzBkIiwiYXBwbGljYXRpb25JZCI6ImMyNDMyMWZhLTc5OTctNDRjMy04ZGVkLTI1MGEyMjNkNDQ5YSIsImN1c3RvbWVySWQiOjAsImN1c3RvbWVyR3JvdXBJZCI6MCwic3RvcmVUeXBlIjoxLCJmYVVzZXJJZCI6MCwic3RvcmVJZCI6MSwid2Vic2l0ZUlkIjoxLCJsb2NhbGUiOiJlbl9HQiJ9.AGwaLswrLuwvOHpwcf4ayrLp8OLBB2XLXSl05oKNpABGH7j4dRbOaRhmZD5vZm4eZxICWsaWCzSowNLzsLxL6g -
Hi, any updates here?
My token is valid for a year, but the signature failed for it. And it was issued by vend endpoint from FA. And it was signed by a key that was generated via "generate elliptic" button in the FA admin. -
Hiya,
This is not an issue I've seen before. Would need a bit more info to help you troubleshoot.
What version of FusionAuth are you running?
Are there common claims, keys, or other similarities for the tokens that are failing to be verified?
Verification depends on the library you are using with php-jwt. Which library are you using? It looks like you should be using openSSL, based on the header for the token you provided (which is using
ES256for thealg) and this line: https://github.com/firebase/php-jwt/blob/main/src/JWT.php#L57 What version of openssl do you have installed?Also, I'd make sure that the key (via JWKS) is always available to the client. I don't know that that is the issue, but if the public key is not available, that will cause problems.
-
Thank you for your answer. The jwt token validation is unrelated to the library because I have the same behaviour on the python validator on the different microservice. (I checked signature failed on 3 different environments, including manual checking on my local machine)
I noticed it happening spikely and probably related to the same spikes on the ES cluster. Is it possible that issuing the new jwt depends on ES health?
I see GC problems at the same time on my ES cluster and that is why I'm asking.
This is a public key (better to remove it before publishing if it is possible)(removed) -
@dan the version - v1.36.7
-
Ah, if you can replicate it across environments and languages, it may be some kind of bug. (Latest version is 1.36.8 but I don't see any issues in the release notes that would have affected this.)
It would be great if you could write up reproduction steps and file an issue here so we can take a look:
https://github.com/FusionAuth/fusionauth-issues/issues/new?assignees=&labels=&template=bug_report.md
Feel free to reference this forum post in the "additional context" section. And if you can provide a sample script, that would be helpful.
I noticed it happening spikely and probably related to the same spikes on the ES cluster. Is it possible that issuing the new jwt depends on ES health?
I don't think so, but if your machine is starved of resources due to a spike, it may be the request for the public keys endpoint is not returning in the appropriate expected timeframe, causing the validation to fail. Usually libraries cache this JWKS value, or you can use a HTTP proxy in front of FusionAuth to cache the JWKS values for ~5 minutes.
(Also, I voted up your post, so future posts from you won't be moderated.)
-
Created the github issue - https://github.com/FusionAuth/fusionauth-issues/issues/1795