fix(auth): use PEM format for Keycloak RSA public key verification#99
Merged
JanZachmann merged 2 commits intoomnect:mainfrom Feb 18, 2026
Merged
Conversation
## Summary - Updated Centrifugo from v6.1.0 to v6.6.0 - Bumped project version to 1.1.2 - Includes Go 1.25.5 security patches and performance improvements ## Reason Update to the latest Centrifugo release to benefit from performance optimizations, improved observability, and security updates in the Go runtime (1.25.5). Signed-off-by: Jan Zachmann <50990105+JanZachmann@users.noreply.github.com>
The jwt-simple to jsonwebtoken migration used DecodingKey::from_rsa_der() which doesn't handle the SPKI format returned by Keycloak's realm endpoint. Switch to from_rsa_pem() with proper PEM header wrapping. Extract the key conversion into a testable function and add unit tests that exercise the real RSA signature verification path with a test keypair. Signed-off-by: Jan Zachmann <50990105+JanZachmann@users.noreply.github.com>
JanZachmann
added a commit
that referenced
this pull request
Feb 18, 2026
## Summary - `jsonwebtoken` v9 `Validation::new()` enforces `aud` (audience) claim validation by default - Keycloak tokens set `aud` to the OIDC client ID, which the backend does not know - The previous `jwt-simple` library did not enforce audience - Disables `aud` validation to match prior behavior (same approach already used for `iss`) Follow-up to #99 — signature verification now passes but audience validation was rejecting valid tokens with `InvalidAudience`. Signed-off-by: Jan Zachmann <50990105+JanZachmann@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
InvalidSignatureerror in Keycloak portal token validation caused by thejwt-simple→jsonwebtokenmigrationDecodingKey::from_rsa_der()does not handle the SPKI format Keycloak returns; replaced withfrom_rsa_pem()and PEM header wrappingdecoding_key_from_keycloak()pure function and add unit tests with a real RSA keypairReason
The
jwt-simple→jsonwebtokenmigration (#97) broke Keycloak token verification. All existing tests mockedSingleSignOnProvider::verify_token()at the trait level, so the actual RSA key parsing and signature verification had zero test coverage.Verification
cargo test --features mock— 3 new tests exercise real RSA key format conversion and JWT signature verification