Duplicate "kid" field in JWKS fails "Decode Json Web Token" assertion
search cancel

Duplicate "kid" field in JWKS fails "Decode Json Web Token" assertion

book

Article ID: 138833

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

The JWKS URL currently contains a duplicate entry for the "kid". When trying to check a JWT using the "Decode Json Web Token" assertion (using "Recipient Key Context Variable" with the content of the JWKS URL, "Key Type" = "JSON Web Key Set" and "Key ID" as parameters), the assertion fails logging the following error:

JOSE Error: Could not find key from JWKS.  

Possible reasons: 1) could not find a key based kid, kty, and use or 

2) the combination of kid, kty and use fields produce more than one key.”

Can a later version of the assertion handle this scenario? Most libraries seem to iterate the JWKS "keys" array and just return the first match.


Environment

Release : 9.2

Component : API GTW ENTERPRISE MANAGER

Resolution

We have checked the code responsible for this behavior.
It is intentionally designed like this.
As per the following spec RFC7517, a JW key set should not contain duplicate entries. At least one part of the combination key(kid, kty, use) should be different between any two entries.
So if the parser returns multiple entries for the same key, then in order to make our code complaint with the spec, gateway does not allow selecting any key and logs the message that states : the combination of kid, kty and use fields produce more than one key.
You need to remove the duplicates from the JWKS before feeding it to the assertion