Problem with generic OIDC IDP configuration

I have an issue with fence configuration using our company's internal IDP. I did a setup using the generic_oidc_idp template but I think there's a problem with the token returned from our IDP :

[2023-07-25 13:59:36,306][     fence][  ERROR] Can't get user info from pingfed: Incorrect key type.  Expected: 'RSA', Recieved: EC
Traceback (most recent call last):
  File "/fence/fence/resources/openid/", line 167, in get_user_id
    claims = self.get_jwt_claims_identity(token_endpoint, jwks_endpoint, code)
  File "/fence/fence/resources/openid/", line 82, in get_jwt_claims_identity
    return jwt.decode(
  File "/usr/local/lib/python3.9/site-packages/jose/", line 134, in decode
    payload = jws.verify(token, key, algorithms, verify=verify_signature)
  File "/usr/local/lib/python3.9/site-packages/jose/", line 75, in verify
    _verify_signature(signing_input, header, signature, key, algorithms)
  File "/usr/local/lib/python3.9/site-packages/jose/", line 262, in _verify_signature
    if not _sig_matches_keys(keys, signing_input, signature, alg):
  File "/usr/local/lib/python3.9/site-packages/jose/", line 210, in _sig_matches_keys
    key = jwk.construct(key, alg)
  File "/usr/local/lib/python3.9/site-packages/jose/", line 61, in construct
    return key_class(key_data, algorithm)
  File "/usr/local/lib/python3.9/site-packages/jose/backends/", line 57, in __init__
  File "/usr/local/lib/python3.9/site-packages/jose/backends/", line 81, in _process_jwk
    raise JWKError("Incorrect key type.  Expected: 'RSA', Recieved: %s" % jwk_dict.get('kty'))
jose.exceptions.JWKError: Incorrect key type.  Expected: 'RSA', Recieved: EC

If I understand that error correctly it is because our IDP returned a JWT signed with an algorithm different than RSA, but I don't understand why and don't see any way of influencing that through configuration.
What's strange is when I do the authorization flow manually (using Postman or curl) I receive JWTs with "alg": "RS256" by default without any extra parameters needed.

I already found out that JWT decoding code in fence has hardcoded usage of the "RS256" algorithm so I definitely can't change that through configuration:

Are my assumptions correct? Any advice on how to manage that issue?

I did some debugging and I can confirm that the token id_token that the app receives is using RS256.
I decoded it and it also has "alg": "RS256" like every other token we generate.
No idea why jose is throwing this error.

I found the issue, it is about JWKS, not JWT. Our IDP uses multiple algorithms in its keys and python-jose has a bug - it does not ignore keys with mismatched algorithms:

Hi, Andrew!

Thanks for reaching out about this problem, and thanks very much for sharing the additional information as you continued to troubleshoot!

It sounds like you identified the source of the problem before we got to you. Is there anything else you need from us?

Also -- I want to be sure you know about our Slack channel that's available for the Gen3 community. You can sign up to join this community Slack channel by completing this form: Sign up to join our Gen3-Community on Slack! . It's a great place to ask questions from other Gen3 users applying the platform in many different contexts. We hope to see you there!

-- Sara

Hi Sara,

Yes, I think I can fix that problem myself which I just confirmed on the Slack channel.
The plan is to filter out non-desired keys to only those using kty == RSA as per rfc7518 and make a configuration field to change that behavior if needed.

I will update this topic when it is done.

1 Like