0

I want to create a JWT for Azure. From converting json to azure token I am using jwtwebtoken package. I have created custom payload and after that invoke this payload jwtwebtoken's sign function. It creates a token but it not azure valid. For azure token validation it throws me this error:

No KID specified and JWKS endpoint returned more than 1 key.

In my payload I passed kid but I don't know how to put in kid into the JWT header.

This is how convert jwt token.

const jwt =. require('jsonwebtoken')


const session = {
  aud: '53ee92fd-4b6b-4ca5-8846-34d60f441e7e',
  iss: 'https://sts.windows.net/a652adc3-7bb3-4312-8eb0-29w9w848/',
  acr: '1',
  aio: 'ASQA2/8TAAAAABdGB29gJ6Sny3+Mkr7+NglS3od1934hdVNuTDNyJhsYFFME=',
  amr: ['pwd'],
  appid: '53e2827w-4b6b-4ca5-8846-34d60f441e7e',
  appidacr: '1',
  family_name: 'doe',
  given_name: 'john',
  ipaddr: '85.76.79.111',
  name: 'admin-test',
  oid: 'a1e9b2c2-efb7-4e85-9918273-10202',
  onprem_sid: 'S-1-5-21-1632691039-112712222-3397904514-192345',
  rh: '0.AQIAw61SprN7EkOOsGqzI_fWzf2SDJDJDJENS.',
  roles: ['admin'],
  scp: 'User.Read',
  sub: 'e-BpFMk9HFzaFKDtJWxWaUyssLD1aglN-MWOAXhkQPZKb0Q',
  tid: 'a652adc3-7bb3-4312-8eb0-6ab323f7aadd6cd',
  unique_name: 'johndoe@gmail.com',
  upn: 'john doe',
  uti: 'OMKuhAZ87ESKAVZrJF1aAA',
  ver: '1.0',
  sgrExternalSitecode: ['209292', '139911'],
  extensionAttribute7: '817272',
  x5t: '91818273-1019181',
  kid: '191818273-1019181' // I am passing kid
}


const accessToken = jwt.sign(session, 'secret', { expiresIn: 60 * 60 })

console.log(accessToken)

<script src="js/jwt-decode.min.js"></script>

ValidAzure Token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsIng1dCI6IjJaUXBKM1VwYmpBWVgxODE3MjczIiwia2lkIjoiMlpRcEozVXBiakFZWDE4MTcyNzMifQ.eyJhdWQiOiI1M2VlOTJmZC00YjZiLTRjYTUtODg0Ni0zNGQ2MGY0NDFlN2UiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9hNjUyYWRjMy03YmIzLTQzMTItOGViMC0yOXc5dzg0OC8iLCJpYXQiOjE2NTk1Mjg0MzMsIm5iZiI6MTY1OTUyODQzMywiZXhwIjoxNjU5NTMyNzkxLCJhY3IiOiIxIiwiYWlvIjoiQVNRQTIvOFRBQUFBQUJkR0IyOWdKNlNueTMrTWtyNytOZ2xTM29kMTkzNGhkVk51VEROeUpoc1lGRk1FPSIsImFtciI6WyJwd2QiXSwiYXBwaWQiOiI1M2UyODI3dy00YjZiLTRjYTUtODg0Ni0zNGQ2MGY0NDFlN2UiLCJhcHBpZGFjciI6IjEiLCJmYW1pbHlfbmFtZSI6ImRvZSIsImdpdmVuX25hbWUiOiJqb2huIiwiaXBhZGRyIjoiODUuNzYuNzkuMTExIiwibmFtZSI6ImFkbWluLXRlc3QiLCJvaWQiOiJhMWU5YjJjMi1lZmI3LTRlODUtOTkxODI3My0xMDIwMiIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0xNjMyNjkxMDM5LTExMjcxMjIyMi0zMzk3OTA0NTE0LTE5MjM0NSIsInJoIjoiMC5BUUlBdzYxU3ByTjdFa09Pc0dxeklfZld6ZjJTREpESkRKRU5TLiIsInJvbGVzIjpbImFkbWluIl0sInNjcCI6IlVzZXIuUmVhZCIsInN1YiI6ImUtQnBGTWs5SEZ6YUZLRHRKV3hXYVV5c3NMRDFhZ2xOLU1XT0FYaGtRUFpLYjBRIiwidGlkIjoiYTY1MmFkYzMtN2JiMy00MzEyLThlYjAtNmFiMzIzZjdhYWRkNmNkIiwidW5pcXVlX25hbWUiOiJqb2huZG9lQGdtYWlsLmNvbSIsInVwbiI6ImpvaG4gZG9lIiwidXRpIjoiT01LdWhBWjg3RVNLQVZackpGMWFBQSIsInZlciI6IjEuMCIsInNnckV4dGVybmFsU2l0ZWNvZGUiOlsiMjA5MjkyIiwiMTM5OTExIl0sImV4dGVuc2lvbkF0dHJpYnV0ZTciOiI4MTcyNzIifQ.Y3x4J18H4robSUAbItMewCR2_ahxDFvi_2yBBv-JRcs"



InvalidToken="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI1M2VlOTJmZC00YjZiLTRjYTUtODg0Ni0zNGQ2MGY0NDFlN2UiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9hNjUyYWRjMy03YmIzLTQzMTItOGViMC0yOXc5dzg0OC8iLCJhY3IiOiIxIiwiYWlvIjoiQVNRQTIvOFRBQUFBQUJkR0IyOWdKNlNueTMrTWtyNytOZ2xTM29kMTkzNGhkVk51VEROeUpoc1lGRk1FPSIsImFtciI6WyJwd2QiXSwiYXBwaWQiOiI1M2UyODI3dy00YjZiLTRjYTUtODg0Ni0zNGQ2MGY0NDFlN2UiLCJhcHBpZGFjciI6IjEiLCJmYW1pbHlfbmFtZSI6ImRvZSIsImdpdmVuX25hbWUiOiJqb2huIiwiaXBhZGRyIjoiODUuNzYuNzkuMTExIiwibmFtZSI6ImFkbWluLXRlc3QiLCJvaWQiOiJhMWU5YjJjMi1lZmI3LTRlODUtOTkxODI3My0xMDIwMiIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0xNjMyNjkxMDM5LTExMjcxMjIyMi0zMzk3OTA0NTE0LTE5MjM0NSIsInJoIjoiMC5BUUlBdzYxU3ByTjdFa09Pc0dxeklfZld6ZjJTREpESkRKRU5TLiIsInJvbGVzIjpbImFkbWluIl0sInNjcCI6IlVzZXIuUmVhZCIsInN1YiI6ImUtQnBGTWs5SEZ6YUZLRHRKV3hXYVV5c3NMRDFhZ2xOLU1XT0FYaGtRUFpLYjBRIiwidGlkIjoiYTY1MmFkYzMtN2JiMy00MzEyLThlYjAtNmFiMzIzZjdhYWRkNmNkIiwidW5pcXVlX25hbWUiOiJqb2huZG9lQGdtYWlsLmNvbSIsInVwbiI6ImpvaG4gZG9lIiwidXRpIjoiT01LdWhBWjg3RVNLQVZackpGMWFBQSIsInZlciI6IjEuMCIsInNnckV4dGVybmFsU2l0ZWNvZGUiOlsiMjA5MjkyIiwiMTM5OTExIl0sImV4dGVuc2lvbkF0dHJpYnV0ZTciOiI4MTcyNzIiLCJ4NXQiOiI5MTgxODI3My0xMDE5MTgxIiwia2lkIjoiMTkxODE4MjczLTEwMTkxODEiLCJpYXQiOjE2NTk1MzA2MDUsImV4cCI6MTY1OTUzNDIwNX0.P8cuQFyiSKWOx-Sk8KxciUxYx6bR06yxYTe0AEwRa4c"
jps
  • 20,041
  • 15
  • 75
  • 79
Krisna
  • 2,854
  • 2
  • 24
  • 66

1 Answers1

0

The keyId claim kidcan be added as an option to the sign function like so:

kid = "191818273-1019181"
const accessToken = jwt.sign(session, 'secret', { keyid: kid, expiresIn: 60 * 60 })
jps
  • 20,041
  • 15
  • 75
  • 79
  • Thank you very much. It helped but I am getting another error: invalid algorithm – Krisna Aug 03 '22 at 13:29
  • Even though I put `algorithm: 'HS256'` – Krisna Aug 03 '22 at 13:31
  • mayve the key that is identified by the kid is for a different algorithm. The JWK contains an `alg` value that should match with the `alg` in the JWT header. – jps Aug 03 '22 at 13:39
  • I even tried this way: `header: { alg: 'HS256', kid: '2*****I', x5t: '2***I', },`. But still getiing the same error – Krisna Aug 03 '22 at 13:57
  • When I decode from here: https://jwt.io/, it say invalid signature – Krisna Aug 03 '22 at 14:21
  • You have to add the secret in the input field in the right column under Verify Signature – jps Aug 03 '22 at 14:40
  • I am sorry I did not understand, where i should add it? In here jwt.io – Krisna Aug 03 '22 at 14:46
  • see [here](https://stackoverflow.com/questions/69862105/jwt-io-says-signature-verified-even-when-key-is-not-provided/69862239#69862239) – jps Aug 03 '22 at 14:48
  • What you share on codeshare.io is not a valid signature, but a JWK (JSON Web Key), specifically a public key of type RSA (kty means keytype). But you mentioned alg = HS256 in your question and that the first JWT which has indeed HS256 worked fine. But if you have a public key of type RSA you would need RS256 as a signing algorithm and a private RSA key to sign. That's all quite confusing. – jps Aug 03 '22 at 21:41
  • But the original question was "how to add the kid to the header?", which I answered. All other things are follow up questions. You should reread the documentation, sort out things like the alg issue, and try something and then come up with a new specific questions if you're stuck again. – jps Aug 03 '22 at 21:43