OIDC Login ends in 401 (token signature is invalid)

Hi,

I’ve set up OIDC with MS Entra.
Now, if I try to login with SSO, the webapp redirects me after successfull entra authentication back to the login screen.

In the logs, I can find the following line:

{
  "time":"2024-09-12T12:06:10.030208059Z",
  "id":"3dc6fcb6ec5462f936581f6700ef5f35",
  "remote_ip":"<REMOTE_IP>",
  "host":"<EVEREST_HOSTNAME>",
  "method":"GET",
  "uri":"/v1/version",
  "user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36",
  "status":401,
  "error":"code=401, message=invalid or expired jwt, internal=token signature is invalid: crypto/rsa: verification error",
  "latency":824298,
  "latency_human":"824.298µs",
  "bytes_in":0,"bytes_out":37
}

Application-ID and issuer-url seems to be correct where issuer-url is configured as https://login.microsoftonline.com/<tenantid>/v2.0 .

Can someone give me a hint, what I am doing wrong?

Greetings,

Balu

Hi @balu, can you please share the full logs of the percona-everest pod?

I’m trying to understand if there are any errors when Everest tries to get the JWKs from your provider which probably live under https://login.microsoftonline.com/<tenantid>/discovery/v2.0/keys.

1 Like

Hi @Diogo_Recharte

thanks for your fast reply,

here is the complete log of a single login (that’s what you requested?):

{"time":"2024-09-12T17:23:46.183424022Z","id":"47901d79f3ec026a84d6cfdb5271a88d","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/login-callback?code=0.AXkAL9suRD95ckeN3InvIWk7kUlmocayRsBMqLotEFtPTqGUAIM.AgABBAIAAAApTwJmzXqdR4BN2miheQMYAwDs_wUA9P9SpOB64epnwN92EyaoK65O-NxqtMFwT-necokRBiP8ntuDD5bTjM5uDRwy3f4HQtTTvdA4SRBdzko8-CTBeUPRfwUh4IwvXc0m-YffGxtWAuN3vQTp8OJFPhsXkCLS9qs_Pbk9JZnqwP-PMasxkA7oxPJF_HdqCSE9ja8cqEkdjslOPAqpjazbCgk0YCTemtgiUZfg9r2t1pBfh43ykMKYcb9MTvjrnpDd1qS7jh_7D7MK42k7upGmu4hwIjinSqmC035P_MScBP95dr_Vc9XoO5PsAX1KTsTLz7I6zu4o-Y3_cqdriBOWCcro1lwqOdspj8-TPea4PwTzskz_ZOD_ygvzxPUxnUw2SkbkGHs3N8EFQGxivQj6z-acyrW4wTrZjFzzhW_qnUIkwOXgj6HmLo2hXHNbX9cRCCGYv5qBFlcWUqCzxWBKLbsVcxqFWTP_qyCtcjGIsNzLIb46kFa3vL_gwM1kC0g2vbAcRNwAXxmwEr15ZQ6jbQapLHI-rRFhzwajVuO4QKqvMRrWEgHHZbGKJpXuZCgcyQCoLOdB_BibVYu-BHEtZvZXaaYU8e98C6WU0Q8zicjHlf9bDrb-6SF2KVu1oe0tYuiHjCeqURoeZeR93f9ry-x1S8h5OkvPnQeNlwFUc-pyr0Py0QmZ2sEvTU3ja8N7IauXyrTC2gJdNWntuQ4rTSHpx3SLYW6f6frLVn-nHP0LSRBOCN46n20yHXD0FWgtSKNVM2WTsBygEW0kYPE4KK_et0f3IUh7ueWShWisjf8_Gg8iNzbHbPKSaJSgNb1oGMphzqVA_FvjHLnLtRBGJjXLYQtGWKoI9INKn3Vocl2ySsoXYrwj9RtizNyS&state=5e2aedc348b94db3bf72121b4b4f1454&session_state=797a1a16-b5e7-4e94-8bd4-2baed4049cc2","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":67921,"latency_human":"67.921µs","bytes_in":0,"bytes_out":465}
{"time":"2024-09-12T17:23:46.253827382Z","id":"124b71eee5e05d20a8deecb6cd7d102c","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/index-87e4b3bd.css","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":496978,"latency_human":"496.978µs","bytes_in":0,"bytes_out":25812}
{"time":"2024-09-12T17:23:46.275563021Z","id":"df1b2c586d229df9e3b72df3e3c34fa6","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/index-afef61d8.js","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":21393010,"latency_human":"21.39301ms","bytes_in":0,"bytes_out":1643437}
{"time":"2024-09-12T17:23:48.687651632Z","id":"af9fa2eabbd21097777da9c03da25b2d","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/v1/settings","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":21716214,"latency_human":"21.716214ms","bytes_in":0,"bytes_out":157}
{"time":"2024-09-12T17:23:49.18618105Z","id":"36b4b74b5e1a27410d4bfbd36a86684c","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":29491,"latency_human":"29.491µs","bytes_in":0,"bytes_out":465}
{"time":"2024-09-12T17:23:49.227092905Z","id":"be97e29164bfaefa01c09437ded307ba","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/index-87e4b3bd.css","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":536836,"latency_human":"536.836µs","bytes_in":0,"bytes_out":25812}
{"time":"2024-09-12T17:23:49.244047613Z","id":"a123d08f1eca53f112db2ea02d494d10","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/index-afef61d8.js","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":17702006,"latency_human":"17.702006ms","bytes_in":0,"bytes_out":1643437}
{"time":"2024-09-12T17:23:52.698400909Z","id":"7a9298ab233efefd00dcb5c30d65db1d","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/v1/settings","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":15059841,"latency_human":"15.059841ms","bytes_in":0,"bytes_out":157}
{"time":"2024-09-12T17:23:52.733898976Z","id":"74d2a156995108b597c013ecacd39755","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/roboto-latin-400-normal-f6734f81.woff2","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":184355,"latency_human":"184.355µs","bytes_in":0,"bytes_out":15744}
{"time":"2024-09-12T17:23:52.77894874Z","id":"4bd87f4668f5b811178ba90343bf9ab6","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/v1/cluster-info","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":401,"error":"code=401, message=invalid or expired jwt, internal=token signature is invalid: crypto/rsa: verification error","latency":650961,"latency_human":"650.961µs","bytes_in":0,"bytes_out":37}
{"time":"2024-09-12T17:23:52.778947424Z","id":"538f6922a064cb756ce48d73bc9088fb","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/v1/version","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":401,"error":"code=401, message=invalid or expired jwt, internal=token signature is invalid: crypto/rsa: verification error","latency":856292,"latency_human":"856.292µs","bytes_in":0,"bytes_out":37}
{"time":"2024-09-12T17:23:52.781098224Z","id":"f3081ba7a48e6e8ba1580ee9deb7a799","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/roboto-latin-500-normal-b0195382.woff2","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":280184,"latency_human":"280.184µs","bytes_in":0,"bytes_out":15920}
{"time":"2024-09-12T17:23:52.796994347Z","id":"5c0343aa97026300187c66f9c92e230e","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/login","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":55896,"latency_human":"55.896µs","bytes_in":0,"bytes_out":465}
{"time":"2024-09-12T17:23:52.822708154Z","id":"da70622be8b12d974dcd811c97bf42aa","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/index-87e4b3bd.css","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":221188,"latency_human":"221.188µs","bytes_in":0,"bytes_out":25812}
{"time":"2024-09-12T17:23:52.836244156Z","id":"051193ded4e3f36dd70d36ebe94760a1","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/index-afef61d8.js","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":13948580,"latency_human":"13.94858ms","bytes_in":0,"bytes_out":1643437}
{"time":"2024-09-12T17:23:57.346594594Z","id":"71c76080688cbfa7bf164e6f12375a7f","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/v1/settings","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":15203876,"latency_human":"15.203876ms","bytes_in":0,"bytes_out":157}
{"time":"2024-09-12T17:23:57.402093792Z","id":"80907dd97a6fc11e4de3c6d737df5bc9","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/poppins-latin-600-normal-f4e80d9d.woff2","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":184099,"latency_human":"184.099µs","bytes_in":0,"bytes_out":8000}
{"time":"2024-09-12T17:23:57.406674408Z","id":"64293c9abd75825241ba6f019dc2f36b","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/poppins-latin-500-normal-cd36de20.woff2","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":252617,"latency_human":"252.617µs","bytes_in":0,"bytes_out":7748}
{"time":"2024-09-12T17:23:57.406769561Z","id":"1000d8b16fbd724ca2cfa86261bf5eb2","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/roboto-latin-400-normal-f6734f81.woff2","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":301070,"latency_human":"301.07µs","bytes_in":0,"bytes_out":15744}
{"time":"2024-09-12T17:23:57.418470957Z","id":"6b32e162b38bfac42f321062ad19d05e","remote_ip":"<REMOTE_IP>","host":"<EVEREST_HOSTNAME>","method":"GET","uri":"/static/login_bg.svg","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36","status":200,"error":"","latency":27087779,"latency_human":"27.087779ms","bytes_in":0,"bytes_out":2096049}

@balu I was able to replicate this and it looks like a bug in Everest. I’ll continue the investigation and keep you posted.

oh, interesting.

OK, thank you :slight_smile:

@balu I’m reaching out just to let you know that the fix to this bug will be part of the upcoming v1.2.0 release.

Hi @Diogo_Recharte,

this sounds great.

Do you have a rough estimate when 1.2.0 will be available?

Greetings, balu

@balu We’re planning to release it next week.

@Diogo_Recharte I can confirm, that this is working with 1.2.0.

thanks