OAuth Discovery endpoint not updated, impossible to validate issued tokens
Summary
The keys discovery endpoint does not contain the public key needed to verify issued id_tokens
.
Steps to reproduce
- Create a new group application setting the application callback and the scopes
openid,profile,email
- Retrieve the newly created CLIENT_ID and CLIENT_SECRET
- Initiate the oAuth process with the
code
flow (example request below)https://gitlab.com/oauth/authorize?&client_id=CLIENT_ID&response_type=code&redirect_uri=****&state=1599045135410-jFe&scope=openid%20profile%20email&nonce=1599046102647-dv4
- Use the code sent back to the callback URL to request the OAuth token (example request below)
curl -Ss -X POST \ https://gitlab.com/oauth/token \ -H 'Authorization: Basic $(echo -n "CLIENT_ID:CLIENT_SECRET" | base64)' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=authorization_code&redirect_uri=****&code=****'
What is the current bug behavior?
The public key to verify the token is not available in keys discovery endpoint endpoint response, and therefore the token verification fails.
What is the expected correct behavior?
The public key to verify the token is available in keys discovery endpoint endpoint response.
Relevant logs and/or screenshots
This is the KID found inside the id_token
:
This is the keys discovery endpoint endpoint response.
// 20230404151136
// https://gitlab.com/oauth/discovery/keys
{
"keys": [
{
"kty": "RSA",
"kid": "kewiQq9jiC84CvSsJYOB-N6A8WFLSV20Mb-y7IlWDSQ",
"e": "AQAB",
"n": "5RyvCSgBoOGNE03CMcJ9Bzo1JDvsU8XgddvRuJtdJAIq5zJ8fiUEGCnMfAZI4of36YXBuBalIycqkgxrRkSOENRUCWN45bf8xsQCcQ8zZxozu0St4w5S-aC7N7UTTarPZTp4BZH8ttUm-VnK4aEdMx9L3Izo0hxaJ135undTuA6gQpK-0nVsm6tRVq4akDe3OhC-7b2h6z7GWJX1SD4sAD3iaq4LZa8y1mvBBz6AIM9co8R-vU1_CduxKQc3KxCnqKALbEKXm0mTGsXha9aNv3pLNRNs_J-cCjBpb1EXAe_7qOURTiIHdv8_sdjcFTJ0OTeLWywuSf7mD0Wpx2LKcD6ImENbyq5IBuR1e2ghnh5Y9H33cuQ0FRni8ikq5W3xP3HSMfwlayhIAJN_WnmbhENRU-m2_hDPiD9JYF2CrQneLkE3kcazSdtarPbg9ZDiydHbKWCV-X7HxxIKEr9N7P1V5HKatF4ZUrG60e3eBnRyccPwmT66i9NYyrcy1_ZNN8D1DY8xh9kflUDy4dSYu4R7AEWxNJWQQov525v0MjD5FNAS03rpk4SuW3Mt7IP73m-_BpmIhW3LZsnmfd8xHRjf0M9veyJD0--ETGmh8t3_CXh3I3R9IbcSEntUl_2lCvc_6B-m8W-t2nZr4wvOq9-iaTQXAn1Au6EaOYWvDRE",
"use": "sig",
"alg": "RS256"
},
{
"kty": "RSA",
"kid": "4i3sFE7sxqNPOT7FdvcGA1ZVGGI_r-tsDXnEuYT4ZqE",
"e": "AQAB",
"n": "4cxDjTcJRJFID6UCgepPV45T1XDz_cLXSPgMur00WXB4jJrR9bfnZDx6dWqwps2dCw-lD3Fccj2oItwdRQ99In61l48MgiJaITf5JK2c63halNYiNo22_cyBG__nCkDZTZwEfGdfPRXSOWMg1E0pgGc1PoqwOdHZrQVqTcP3vWJt8bDQSOuoZBHSwVzDSjHPY6LmJMEO42H27t3ZkcYtS5crU8j2Yf-UH5U6rrSEyMdrCpc9IXe9WCmWjz5yOQa0r3U7M5OPEKD1-8wuP6_dPw0DyNO_Ei7UerVtsx5XSTd-Z5ujeB3PFVeAdtGxJ23oRNCq2MCOZBa58EGeRDLR7Q",
"use": "sig",
"alg": "RS256"
}
]
}