-
-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NoMatchingKeys when there is clearly a matching key #152
Comments
It sounds like Google is rotating their signing keys regularly, and this crate's There's a relevant discussion in #25. My recommendation is to instantiate a new I see there's an Until then, you should be able to pass your own custom HTTP client to |
Thank you so much for the insight. That makes sense, and it really looks like Google creates a new key every week, and older keys expire in two weeks. Or at least that's the theory. I'll keep an eye on them. |
The situation I have is extremely weird, and has been haunting me for a few months at this point.
I use
openidconnect
to authenticate my users through Google. When the server starts,CoreProviderMetadata::discover_async
is called, it downloads everything needed, and then theCoreClient
is created using that. It is then stored immutably.In my application the ID token is checked on the backend. This is mainly for compatibility reasons. All goes well for a while, but after some time passes (around a week), many users start to receive errors when trying to log in with Google. Looking at the logs, the error is
SignatureVerification(NoMatchingKey)
. After I restart the server, the error goes away for everyone who had it.So, I used
tcpdump
to record the login requests before and after the restart. What I found is that they are absolutely, byte-for-byte, identical, including the ID token. I also decoded them and checked thekid
with the ones found on Google'sjwks_url
, and they match.Here's a sample token (I replaced the data with
{}
):Why does this happen? Does the JWK set expire after some time? Please help.
The text was updated successfully, but these errors were encountered: