Failed to verify id token signature

What happened?

I’m trying to integrate pomerium with miniorange as my IdP solution (https://www.miniorange.com/) using OpenID Connect.
I’m able to log in miniorange, and I’m redirected back to pomerium, but upon redirection I get the following error:

What’s your environment like?

  • pomerium/pomerium:latest
    (pomerium: 0.16.0-1640214477+45a348de
    envoy: 1.19.1+c5ecc1e167273edac76f6c07f980ed5a728f4b7e077679d74cfbc59c087933e5)

What’s your config.yaml?

authenticate_service_url: https://authenticate.xxxx.dev

certificate_file: /pomerium/cert.pem
certificate_key_file: /pomerium/privkey.pem
pomerium_debug: true
tls_skip_verify: true

idp_provider: oidc
idp_provider_url: http://identityprovider.xxx.dev
idp_client_id: xxxxxxx
idp_client_secret: xxxxxxx
cookie_secret: xxxxxxxxx
routes:
  - from: https://verify.xxxx.dev
    to: http://verify:8000
    policy:
      - allow:
          or:
            - email:
                is: user@example.com
    pass_identity_headers: true
version: "3"
services:
  pomerium:
    image: pomerium/pomerium:latest
    volumes:
      - ./_wildcard.xxx.dev.pem:/pomerium/cert.pem:ro
      - ./_wildcard.xxx.dev-key.pem:/pomerium/privkey.pem:ro
      - ./config.yaml:/pomerium/config.yaml:ro
    ports:
      - 443:443

  verify:
    image: pomerium/verify:latest
    expose:
      - 8080

What did you see in the logs?

pomerium_1  | 5:51PM INF http-request authority=authenticate.xxxx.dev duration=1.379121 forwarded-for=x.x.x.x method=GET path=/.pomerium/sign_in referer= request-id=67551413-7842-4ceb-a7a8-922adf7d78c9 response-code=302 response-code-details=via_upstream service=envoy size=801 upstream-cluster=pomerium-control-plane-http user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
pomerium_1  | 5:51PM INF http-request authority=authenticate.xxxx.dev duration=29.270744 forwarded-for=x.x.x.x method=GET path=/oauth2/callback referer= request-id=f9d75864-1741-4873-aeb7-5fe46db74047 response-code=500 response-code-details=via_upstream service=envoy size=11490 upstream-cluster=pomerium-control-plane-http user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
pomerium_1  | 5:51PM INF authorize check allow=false allow-why-false=["non-pomerium-route","user-unauthenticated"] check-request-id=bb53fcb5-7458-4e8b-9872-876c6c377bb9 databroker_record_version=4 databroker_server_version=4276235024113713087 deny=false deny-why-false=["valid-client-certificate-or-none-required"] email= host=verify.xxx..dev method=GET path=/ query= request-id=5d57e67f-09b0-4a21-a130-42a106705848 service=authorize user=
pomerium_1  | 5:51PM INF authenticate: session load error error="Bad Request: internal/sessions: session is not found" X-Forwarded-For=["x.x.x.x"] X-Forwarded-Proto=["https"] ip=127.0.0.1 request-id=eac6f8cc-c550-49d5-b62f-b3a431f2b874 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
pomerium_1  | 5:51PM INF http-request authority=verify.xxx..dev duration=4.791906 forwarded-for=x.x.x.x method=GET path=/ referer= request-id=bb53fcb5-7458-4e8b-9872-876c6c377bb9 response-code=302 response-code-details=ext_authz_denied service=envoy size=11281 upstream-cluster= user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
pomerium_1  | 5:51PM INF http-request authority=authenticate.xxxx.dev duration=1.050713 forwarded-for=x.x.x.x method=GET path=/.pomerium/sign_in referer= request-id=eac6f8cc-c550-49d5-b62f-b3a431f2b874 response-code=302 response-code-details=via_upstream service=envoy size=801 upstream-cluster=pomerium-control-plane-http user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
pomerium_1  | 5:52PM INF http-request authority=authenticate.xxxx.dev duration=24.92803 forwarded-for=x.x.x.x method=GET path=/oauth2/callback referer=identityprovider.xxx.dev/ request-id=18031faf-2c13-4ab0-a928-45b53be5c8fa response-code=500 response-code-details=via_upstream service=envoy size=11490 upstream-cluster=pomerium-control-plane-http user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
pomerium_1  | 5:52PM INF http-request authority=authenticate.xxxx.dev duration=83.210135 forwarded-for=x.x.x.x method=GET path=/oauth2/callback referer= request-id=523269d2-e119-41e4-af84-c4f88bc5a8f2 response-code=500 response-code-details=via_upstream service=envoy size=11550 upstream-cluster=pomerium-control-plane-http user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
pomerium_1  | 5:52PM INF http-request authority=authenticate.xxxx.dev duration=8.6032 forwarded-for=x.x.x.x method=GET path=/oauth2/callback referer= request-id=44aaa8c5-4f55-4d35-9ae2-096031f8703d response-code=500 response-code-details=via_upstream service=envoy size=11550 upstream-cluster=pomerium-control-plane-http user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"

Additional context

Add any other context about the problem here.

Hi @andremorais! In order to test this issue out, I set up a miniorange account. It took a little bit of configuring, but I was able to make it work, though I never got the error you’re seeing.

Please confirm: For idp_client_id and idp_client_secret, are you using the client ID and secret provided on the “EDIT APPLICATION” page?

Also, I don’t know if it’s different for your setup, but for idp_provider_url, I needed to include /moas at the end of the url.

Hi @alex, thank you for the time that you spent on this.
If I include /moas at the end of the idp_provider_url i get the following error upon the redirection to the IDP.

Are you able to share your config.yaml and which miniorange version are you using?
Thank you!

No problem!

Well, it may be a lateral move, but I’m calling it progress :smile:

I just signed up for the free tier of MiniOrange, so I’m using whatever SaaS version that provides at the xecurify domain.

My (redacted) config is:

idp_provider: "oidc"
idp_client_id: "REDACTED"
idp_client_secret: "REDACTED"
idp_scopes: "openid"
idp_provider_url: "https://login.xecurify.com/moas" 

I’m noticing that I’ve set idp_scopes while you haven’t, so that’s worth looking in to. I got the value of openid by parsing their discovery document for values under the scopes_supported key.

Regarding the moas subdirectory, I got that by looking at the path to the "Discovery Endpoint` for the app. Your path may be different.

Finally, since you didn’t explicitly respond to this point, I still want to confirm that you’re using the ID and secret for the app and not for your admin user:
image

P.S. I just noticed that you’re exposing the verify app on 8080, but I think that the app currently listens on port 8000. I’ll likely need to adjust docs to match.

Speaking of adjusting docs, based on working on this thread I made a PR to clarify what the value of idp_provider_url should be: DOCS: Clarify base path for idp_provider_url by alexfornuto · Pull Request #2956 · pomerium/pomerium · GitHub

Yes, I’m using the client id and client secret from the app.
Interesting, if I use the SaaS version it works, at least I’m successfully redirected to the verify app, although I get this banner, an improvement though.

Before, I was using their docker-image, which will probably be our setup, I wonder if the previous error is an issue on miniorange’s side.

Thank you!

That makes me think it’s an issue with the identity_provider_url and/or access to the self-hosted IdP. I’d check the path to the discovery endpoint on the hosted source, and also confirm that Pomerium can access it from its FQDN.

That banner means that the certificate being served by the authenticate service isn’t trusted. This could be because you’re using self-signed or staging certificates, or because the verify app isn’t accessing the Authenticate service from the FQDN the cert is for. Either way I agree, it’s a major improvement!