Skip to content

OAuth Discovery endpoint not updated, impossible to validate issued tokens

Summary

The keys discovery endpoint does not contain the public key needed to verify issued id_tokens.

Steps to reproduce

  • Create a new group application setting the application callback and the scopes openid,profile,email
  • Retrieve the newly created CLIENT_ID and CLIENT_SECRET
  • Initiate the oAuth process with the code flow (example request below) 
    https://gitlab.com/oauth/authorize?&client_id=CLIENT_ID&response_type=code&redirect_uri=****&state=1599045135410-jFe&scope=openid%20profile%20email&nonce=1599046102647-dv4
  • Use the code sent back to the callback URL to request the OAuth token (example request below) 
    curl -Ss -X POST \
https://gitlab.com/oauth/token \
-H 'Authorization: Basic $(echo -n "CLIENT_ID:CLIENT_SECRET" | base64)' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=authorization_code&redirect_uri=****&code=****'

What is the current bug behavior?

The public key to verify the token is not available in keys discovery endpoint endpoint response, and therefore the token verification fails.

What is the expected correct behavior?

The public key to verify the token is available in keys discovery endpoint endpoint response.

Relevant logs and/or screenshots

This is the KID found inside the id_token:

Returned KID

This is the keys discovery endpoint endpoint response.

// 20230404151136
// https://gitlab.com/oauth/discovery/keys
{
  "keys": [
    {
      "kty": "RSA",
      "kid": "kewiQq9jiC84CvSsJYOB-N6A8WFLSV20Mb-y7IlWDSQ",
      "e": "AQAB",
      "n": "5RyvCSgBoOGNE03CMcJ9Bzo1JDvsU8XgddvRuJtdJAIq5zJ8fiUEGCnMfAZI4of36YXBuBalIycqkgxrRkSOENRUCWN45bf8xsQCcQ8zZxozu0St4w5S-aC7N7UTTarPZTp4BZH8ttUm-VnK4aEdMx9L3Izo0hxaJ135undTuA6gQpK-0nVsm6tRVq4akDe3OhC-7b2h6z7GWJX1SD4sAD3iaq4LZa8y1mvBBz6AIM9co8R-vU1_CduxKQc3KxCnqKALbEKXm0mTGsXha9aNv3pLNRNs_J-cCjBpb1EXAe_7qOURTiIHdv8_sdjcFTJ0OTeLWywuSf7mD0Wpx2LKcD6ImENbyq5IBuR1e2ghnh5Y9H33cuQ0FRni8ikq5W3xP3HSMfwlayhIAJN_WnmbhENRU-m2_hDPiD9JYF2CrQneLkE3kcazSdtarPbg9ZDiydHbKWCV-X7HxxIKEr9N7P1V5HKatF4ZUrG60e3eBnRyccPwmT66i9NYyrcy1_ZNN8D1DY8xh9kflUDy4dSYu4R7AEWxNJWQQov525v0MjD5FNAS03rpk4SuW3Mt7IP73m-_BpmIhW3LZsnmfd8xHRjf0M9veyJD0--ETGmh8t3_CXh3I3R9IbcSEntUl_2lCvc_6B-m8W-t2nZr4wvOq9-iaTQXAn1Au6EaOYWvDRE",
      "use": "sig",
      "alg": "RS256"
    },
    {
      "kty": "RSA",
      "kid": "4i3sFE7sxqNPOT7FdvcGA1ZVGGI_r-tsDXnEuYT4ZqE",
      "e": "AQAB",
      "n": "4cxDjTcJRJFID6UCgepPV45T1XDz_cLXSPgMur00WXB4jJrR9bfnZDx6dWqwps2dCw-lD3Fccj2oItwdRQ99In61l48MgiJaITf5JK2c63halNYiNo22_cyBG__nCkDZTZwEfGdfPRXSOWMg1E0pgGc1PoqwOdHZrQVqTcP3vWJt8bDQSOuoZBHSwVzDSjHPY6LmJMEO42H27t3ZkcYtS5crU8j2Yf-UH5U6rrSEyMdrCpc9IXe9WCmWjz5yOQa0r3U7M5OPEKD1-8wuP6_dPw0DyNO_Ei7UerVtsx5XSTd-Z5ujeB3PFVeAdtGxJ23oRNCq2MCOZBa58EGeRDLR7Q",
      "use": "sig",
      "alg": "RS256"
    }
  ]
}