oidc_proto_jwt_verify: JWT signature verification failed when using bearer token auth

[gsgleason]

Hello.

I've set up mod_auth_openidc on RHEL9 using mod_auth_openidc-2.4.16.11-1.el9.x86_64.rpm from the releases page.

I'm using keycloak from red hat 26.0.10.

I've configured apache according to the wiki, with the exception of AuthType auth-openidc instead of openid-connect, which is specified in the wiki: https://github.com/OpenIDC/mod_auth_openidc/wiki/Single-Page-Applications#allowing-both-oauth-20-and-openid-connect

I want to have locations in apache protected by keycloak to allow both browser access and programmatic access.

Here is my auth_openidc.conf file:

OIDCRedirectURI /oauth2callback
OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
OIDCProviderMetadataURL https://{keycloak backchannel fqdn}:8443/realms/{realm}/.well-known/openid-configuration
OIDCProviderTokenEndpointAuth client_secret_basic
OIDCScope "openid email"
OIDCClientID {client_id}
OIDCClientSecret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
OIDCRemoteUserClaim email
<Location "/oauth2callback">
    AuthType auth-openidc
    Require valid-user
</Location>
<Location "/secure">
    AuthType auth-openidc
    <RequireAny>
	Require claim group:/secure_group
    </RequireAny>
</Location>

I am testing programmatic access by using curl to get an access token:

curl -X POST -d grant_type=password -d username={username} -d password={password} -d client_id={client_id} -d client_secret={client_secret} https://{keycloak FQDN}/realms/{realm}/protocol/openid-connect/token

I then try to access the protected resource by providing the token in an Authorization header:

Authorization: Bearer {access_token}

I get an error from Apache in the www-authenticate header:

www-authenticate: Bearer error="invalid_token", error_description="JWT token could not be validated"

And the ssl_error_log shows this:

[Tue Apr 08 09:29:03.511635 2025] [auth_openidc:error] [pid 8928:tid 9064] [client x.x.x.x:49848] oidc_proto_jwt_verify: JWT signature verification failed: [src/jose.c:1308: oidc_jwt_verify]: could not find key with kid: ZtyywKfNUM8d7lNDzhod8RbMctSanzv8B9RCa42AP_M
[Tue Apr 08 09:29:03.511690 2025] [auth_openidc:error] [pid 8928:tid 9064] [client x.x.x.x:49848] oidc_oauth_validate_jwt_access_token: JWT access token signature could not be validated, aborting

So I went to jwt.io and pasted my access token and the json object for the key with id ZtyywKfNUM8d7lNDzhod8RbMctSanzv8B9RCa42AP_M which I got from the jwks_uri (which I got from /.well-known/openid-configuration) and it shows valid public key.

I don't understand why mod_auth_openidc can't validate the token.

[edit]

I set my apache log level to debug and now see the following:

[Tue Apr 08 11:59:48.989244 2025] [auth_openidc:debug] [pid 22282:tid 22403] src/oauth.c(589): [client x.x.x.x:41450] oidc_oauth_validate_jwt_access_token: verify JWT against 0 statically configured public keys and 0 shared keys, with JWKs URI set to (null)
[Tue Apr 08 11:59:48.989251 2025] [auth_openidc:debug] [pid 22282:tid 22403] src/proto/jwt.c(170): [client x.x.x.x:41450] oidc_proto_jwt_verify: "jwks_uri" and "signed_jwks_uri" are not set, signature validation will only be performed against statically configured keys

I don't understand this. The metadata URL absolutely has jwks_uri set. I also tested adding the following configuration option:

OIDCProviderJwksUri https://{keycloak backend fqdn}:8443/realms/{realm}/protocol/openid-connect/certs

And it still shows the same error saying JWKs URI set to (null)

[gsgleason]

I fixed it by adding OIDCOAuthVerifyJwksUri to the config.

Shouldn't that be covered by the keycloak metadata url?