OAuth login: 'validate id_token' fails after the crypto-provider fix (next layer of #60) #61

New issue

Closed

opened 2026-06-08 17:14:39 +00:00 by mik-tf · 0 comments

mik-tf commented 2026-06-08 17:14:39 +00:00

Owner

Copy link

With the jsonwebtoken aws_lc_rs fix (#60) deployed, OAuth login no longer panics and now progresses through the code exchange to id_token validation, which fails: proxy logs '[ERROR] OAuth code exchange failed: validate id_token' and the browser shows 'OAuth exchange failed: validate id_token'. The proxy validates the id_token signature against the provider jwks_uri, fetched via OIDC discovery of issuer/.well-known/openid-configuration (oauth.rs validate_id_token, gated on a non-empty provider.jwks_uri). Most likely the seeded OAuth provider is missing the forge issuer / jwks_uri, so the proxy cannot get forge's signing key to verify the RS256 id_token; other candidates are the JWKS fetch failing or an iss/aud/nonce mismatch. Two asks: add the specific validation reason to the log (signature vs issuer vs audience vs nonce vs expiry) instead of the generic message, and verify the deployer's oauth.set_provider seed includes the issuer so OIDC discovery resolves the jwks_uri. Reproduced on flowtest8 (hero_proxy main 66b9b44).

With the jsonwebtoken aws_lc_rs fix (#60) deployed, OAuth login no longer panics and now progresses through the code exchange to id_token validation, which fails: proxy logs '[ERROR] OAuth code exchange failed: validate id_token' and the browser shows 'OAuth exchange failed: validate id_token'. The proxy validates the id_token signature against the provider jwks_uri, fetched via OIDC discovery of issuer/.well-known/openid-configuration (oauth.rs validate_id_token, gated on a non-empty provider.jwks_uri). Most likely the seeded OAuth provider is missing the forge issuer / jwks_uri, so the proxy cannot get forge's signing key to verify the RS256 id_token; other candidates are the JWKS fetch failing or an iss/aud/nonce mismatch. Two asks: add the specific validation reason to the log (signature vs issuer vs audience vs nonce vs expiry) instead of the generic message, and verify the deployer's oauth.set_provider seed includes the issuer so OIDC discovery resolves the jwks_uri. Reproduced on flowtest8 (hero_proxy main 66b9b44).

mik-tf referenced this issue from lhumina_code/home 2026-06-08 17:31:42 +00:00

[META] Hero OS sandbox demo, functional readiness: onboarding pipeline + per-app verification #239

mik-tf referenced this issue from a commit 2026-06-08 18:29:02 +00:00

fix(oauth): complete Forgejo OIDC login (aud array + userinfo enrichment + openid scope)

mik-tf closed this issue 2026-06-08 18:30:57 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

development

integration

fix/linux-build-and-toolchain

issue-55-hero-lifecycle-rename

latest

dev

v0.5.0-rc1

v0.5.0

v0.1.1

v0.1.0

Labels

Clear labels   

prio_critical

  

prio_low

  

type_bug

  

type_contact

  

type_issue

  

type_lead

  

type_question

  

type_story

  

type_task

No labels

prio_critical

prio_low

type_bug

type_contact

type_issue

type_lead

type_question

type_story

type_task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_proxy#61

No description provided.