Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Demo fails with "Unable to fetch public keys" #82

Open
EionRobb opened this issue Jun 24, 2024 · 2 comments
Open

Demo fails with "Unable to fetch public keys" #82

EionRobb opened this issue Jun 24, 2024 · 2 comments

Comments

@EionRobb
Copy link

EionRobb commented Jun 24, 2024

Running the demo to call a token issuance is failing with "Unable to fetch public keys".

It looks like JwtValidator.resolvePublicKeyJwks() is connecting to https://discover.did.msidentity.com/v1.0/identifiers/did:web:verifiedid.entra.microsoft.com:07b12f07-657f-4ebe-ac84-cee558d49c71:ef3b2d34-d94d-1c95-71d9-66a073b46237 to download the public keys but the endpoint doesn't accept discovery using that, it returns "discovery_service.web_method_path_not_supported"

The demo JWT issued from the Entra issue API that's failing is

eyJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDp3ZWI6dmVyaWZpZWRpZC5lbnRyYS5taWNyb3NvZnQuY29tOjA3YjEyZjA3LTY1N2YtNGViZS1hYzg0LWNlZTU1OGQ0OWM3MTplZjNiMmQzNC1kOTRkLTFjOTUtNzFkOS02NmEwNzNiNDYyMzcjYWM1NzhiNjRhMzNiNDI1NTk5YmQ2MTZhNDJlZTM4MzBtYW5hZ2Vkc2lncDI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI5YmQ3MDAzYy02MzdmLTRmYzgtYWY4ZC04YmFkMDA5ZDRiNGYiLCJpYXQiOjE3MTkxOTQ0NjgsInJlc3BvbnNlX3R5cGUiOiJpZF90b2tlbiIsInJlc3BvbnNlX21vZGUiOiJwb3N0Iiwic2NvcGUiOiJvcGVuaWQiLCJub25jZSI6IlhnSFh6MXpmOWVva293T2l2Wkd6K1E9PSIsImNsaWVudF9pZCI6ImRpZDp3ZWI6dmVyaWZpZWRpZC5lbnRyYS5taWNyb3NvZnQuY29tOjA3YjEyZjA3LTY1N2YtNGViZS1hYzg0LWNlZTU1OGQ0OWM3MTplZjNiMmQzNC1kOTRkLTFjOTUtNzFkOS02NmEwNzNiNDYyMzciLCJyZWRpcmVjdF91cmkiOiJodHRwczovL3ZlcmlmaWVkaWQuZGlkLm1zaWRlbnRpdHkuY29tL3YxLjAvdGVuYW50cy8wN2IxMmYwNy02NTdmLTRlYmUtYWM4NC1jZWU1NThkNDljNzEvdmVyaWZpYWJsZUNyZWRlbnRpYWxzL2NvbXBsZXRlSXNzdWFuY2UiLCJwcm9tcHQiOiJjcmVhdGUiLCJzdGF0ZSI6ImRqTytkOC85MDM5WTJhOEZxZjVxMkFoM2Z2MEVzSlNyNUo5T29NRWt0cHlLYXkvWUtXeWJuR0JRMENDRVErd2R5SzEyZ01xSFFGdEpOY1JyYkJCZTlhRFhPcFpMaHY0eWkvNXVDUDlLTnpmUnRSZkcrbjk0NGlXdUxhdlRUdzlVYXZtbGVhenBXbXlwQit6bXBvMGNScjEwUmczV1A5ak9EeGtKTnhQbFlhT0ErdGNGcWFnQzhaK3VrWlU4c29JY1VBNW4zUjBFSWQ2ZHNWWUZRYnFsMDBnaGFqdkhUTGhkdXFpN29iOS8zNnFFM1RPZ1B1YUpJQXFpN0NObUdhYmF2QXRQQjhVZ05HTDVpcUVoaDBLU2Z1d1orQTB2STN4RG1tNmNndXoyN0ZTYUdFQU81bVcrMDBCVk9nTHFmWUZLSDFRRXhYcENYT01MMW1Hd1BZYm9nbFZIZmRyU3RJSzBaREo4N0pWWVVrSGZRSGIzWndxKy9WZlhmTTdwWHZBNXNSNW1lWUxvdlhZdHNDMDRIejNuVkMreFREdVJpeDZ6ckl1Nzk4UkpWcUgyNHdPQ1J2bzgwOTBtNllQeTljS09wYXFjVTZmWXNKQnhJVXV0ekZJSk1BMUdFUT09IiwiZXhwIjoxNzE5MTk0NzY4LCJyZWdpc3RyYXRpb24iOnsiY2xpZW50X25hbWUiOiJOQ2FwIFJhbmRvbWl6ZXIiLCJzdWJqZWN0X3N5bnRheF90eXBlc19zdXBwb3J0ZWQiOlsiZGlkOmlvbiJdLCJ2cF9mb3JtYXRzIjp7Imp3dF92cCI6eyJhbGciOlsiRVMyNTZLIl19LCJqd3RfdmMiOnsiYWxnIjpbIkVTMjU2SyJdfX0sImNsaWVudF9wdXJwb3NlIjoiUmFuZG9tbHkgY3JlYXRlcyBOQ2FwIHNjb3JlcyJ9LCJjbGFpbXMiOnsidnBfdG9rZW4iOnsicHJlc2VudGF0aW9uX2RlZmluaXRpb24iOnsiaWQiOiJkZmRlNjQzYy0yMDg5LTQ4NWQtOGRlZi03YmE5MmRiYWZiOTgiLCJpbnB1dF9kZXNjcmlwdG9ycyI6W3siaWQiOiJOQ2FwU2NvcmUiLCJzY2hlbWEiOlt7InVyaSI6Ik5DYXBTY29yZSJ9XSwiaXNzdWFuY2UiOlt7Im1hbmlmZXN0IjoiaHR0cHM6Ly92ZXJpZmllZGlkLmRpZC5tc2lkZW50aXR5LmNvbS92MS4wL3RlbmFudHMvMDdiMTJmMDctNjU3Zi00ZWJlLWFjODQtY2VlNTU4ZDQ5YzcxL3ZlcmlmaWFibGVDcmVkZW50aWFscy9jb250cmFjdHMvYTk4NmMzYTYtOGRlYS1jNTc4LTQyMjEtOTUyYWFjYTVkNzQxL21hbmlmZXN0In1dfV19fX0sImlkX3Rva2VuX2hpbnQiOiJleUpoYkdjaU9pSkZVekkxTmlJc0ltdHBaQ0k2SW1ScFpEcDNaV0k2ZG1WeWFXWnBaV1JwWkM1bGJuUnlZUzV0YVdOeWIzTnZablF1WTI5dE9qQTNZakV5WmpBM0xUWTFOMll0TkdWaVpTMWhZemcwTFdObFpUVTFPR1EwT1dNM01UcGxaak5pTW1Rek5DMWtPVFJrTFRGak9UVXROekZrT1MwMk5tRXdOek5pTkRZeU16Y2pZV00xTnpoaU5qUmhNek5pTkRJMU5UazVZbVEyTVRaaE5ESmxaVE00TXpCdFlXNWhaMlZrYzJsbmNESTFOaUlzSW5SNWNDSTZJa3BYVkNKOS5leUp6ZFdJaU9pSjNUakpIWm1WcWNXbHNaVmRpVGxOMmJHSnRTM1pzV1dKVlgxWXhhMDl6Ulc5amRXaHVkMHBKUm5rd0lpd2lZWFZrSWpvaWFIUjBjSE02THk5aVpYUmhMbVJwWkM1dGMybGtaVzUwYVhSNUxtTnZiUzkyTVM0d0wzUmxibUZ1ZEhNdk1EZGlNVEptTURjdE5qVTNaaTAwWldKbExXRmpPRFF0WTJWbE5UVTRaRFE1WXpjeEwzWmxjbWxtYVdGaWJHVkRjbVZrWlc1MGFXRnNjeTlwYzNOMVpTSXNJbTV2Ym1ObElqb2lWelk0WWxWSk4xWkJORXBHTlZwa05rcHVRbU5hUVQwOUlpd2ljM1ZpWDJwM2F5STZleUpqY25ZaU9pSlFMVEkxTmlJc0ltdHBaQ0k2SW1ScFpEcDNaV0k2ZG1WeWFXWnBaV1JwWkM1bGJuUnlZUzV0YVdOeWIzTnZablF1WTI5dE9qQTNZakV5WmpBM0xUWTFOMll0TkdWaVpTMWhZemcwTFdObFpUVTFPR1EwT1dNM01UcGxaak5pTW1Rek5DMWtPVFJrTFRGak9UVXROekZrT1MwMk5tRXdOek5pTkRZeU16Y2pZV00xTnpoaU5qUmhNek5pTkRJMU5UazVZbVEyTVRaaE5ESmxaVE00TXpCdFlXNWhaMlZrYzJsbmNESTFOaUlzSW10MGVTSTZJa1ZESWl3aWVDSTZJbUU1ZW1KVGVIUnVRbm81UWxOWWIzaE1jMEZLY1haV2JtaEdkMjAzYkd0MlVIVlNaWEZaU1daalIwRWlMQ0o1SWpvaVZFZDFkbWt0UmsxU1dXVnBSMFJpUzA1c01sb3RSRkozUjJacmJtRjRjbHA1Y25Kc2JUUnhabVpmYXlKOUxDSmthV1FpT2lKa2FXUTZkMlZpT25abGNtbG1hV1ZrYVdRdVpXNTBjbUV1YldsamNtOXpiMlowTG1OdmJUb3dOMkl4TW1Zd055MDJOVGRtTFRSbFltVXRZV000TkMxalpXVTFOVGhrTkRsak56RTZaV1l6WWpKa016UXRaRGswWkMweFl6azFMVGN4WkRrdE5qWmhNRGN6WWpRMk1qTTNJaXdpY0dWeWFXOWtYM04wWVhKMFgyUmhkR1VpT2lJeU1ESTBMVEF5SWl3aWNHVnlhVzlrWDJWdVpGOWtZWFJsSWpvaU1qQXlNeTB3TkNJc0ltNWpZWEJmYzJOdmNtVWlPaUl6TmlJc0ltbHpjeUk2SW1oMGRIQnpPaTh2YzJWc1ppMXBjM04xWldRdWJXVWlMQ0pwWVhRaU9qRTNNVGt4T1RRME5qZ3NJbXAwYVNJNklqbGlaRGN3TUROakxUWXpOMll0Tkdaak9DMWhaamhrTFRoaVlXUXdNRGxrTkdJMFppSXNJbVY0Y0NJNk1UY3hPVEU1TkRjMk9IMC5YdkJGbHRRdnI5RmpLZGNqQzB2YktkS0w4b0RoTVpBcXFLdFFQMTlBNHIxZUNralR1SEpwMlVYTHNnbThxZENTZ09oMmVici1jVWdURWg1bVlLRzlUUSJ9.iyr2AqSBuK0TNGQ7AtzPnTxyXtt-dDoZT6ZZLY4GFAxrKURdtRrP088DO83hW0IRES0xFXBJDWpmCWEDIKAwmw

Edit: just wanted to add that the same JWT/url works ok with Microsoft Authenticator

@EionRobb
Copy link
Author

I checked to see what URL the MS Authenticator app uses for verification to see if it just needed the resolverUrl updated, and it looks up the same URL, but the endpoint doesn't respond if the user agent header is not User-Agent: Microsoft-Authenticator/6.2406.4052

Are we expected to host a version of https://discover.did.msidentity.com/v1.0/identifiers/ in order for did:web lookups to work correctly with the wallet library?

@icarboneaq
Copy link

I'm running into a similar error. Also getting "Unable to fetch public keys", and when I dug into it I got an "Unknown / unsupported curve" error for a key in the DID that wasn't being used. So it looked like the resolver was resolving the DID, but the parser was throwing an error.

In the verification methods part of the DID we have an entry as follows:

{"id":"#key_2","type":"JsonWebKey2020","controller":"did:web:al-brand-aqio-es256-keep.dids.aqvc.me","publicKeyJwk":{"kty":"OKP","crv":"Bls12381G2","x":"ij9VojXzTh5PhojTiatSJZwtL2hRR1UIsKTCYpnL-KS4CcUHJ1Ylj0rQajtuJ-KBD55vM2pJFp-Fb3My5W01NEyMLHYerwo5f5qdmOtfuJtGdB1s-9B2IuleK7PWi4-W"}}

This is causing the parsing error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants