Stream: smart/health-cards
Topic: trouble with my kids
Angus Millar (May 25 2021 at 04:25):
Hi Guys,
I was using this very useful validator site: VerifierPortal and ran into an error which I'm not clear on. I provided my Smart Health Card token as raw QR numeric and it neatly parsed out my token correctly. It shows my token header as follows:
{
"alg": "ES256",
"zip": "DEF",
"kid": "tuqnKddcsvXI94xWCK8NJRsZ5YQQY_QwTjMzMfNjMIc"
}
As I don't yet have a public endpoint to serve my JWKS on, I instead pasted it in manually.
Here it is:
{
"keys": [
{
"kty": "EC",
"kid": "tuqnKddcsvXI94xWCK8NJRsZ5YQQY_QwTjMzMfNjMIc",
"use": "sig",
"alg": "ES256",
"cry": "P-256",
"x": "j2oyU1JyNT1x66i-PFsdsU1qL-y_Nxq7RjwKkd5kNyc",
"y": "OPR0AnWPAmhFC6y1RAXFvsAGS0ptfUwuoTKkWXpP4bE"
}
]
}
It then parses the JWKS and shows this error message:
{"message":"key[tuqnKddcsvXI94xWCK8NJRsZ5YQQY_QwTjMzMfNjMIc]: 'kid' does not match thumbprint in issuer key. expected: 3BQKJkOvOmXWApViNdYTTpkN8ZVnDI23c10KXgBsjow, actual: tuqnKddcsvXI94xWCK8NJRsZ5YQQY_QwTjMzMfNjMIc","code":203,"level":3}
I'm a little confused as the 'kid' in the token header and in the JWKS match, yet it seems there is some other conversion occurring that I'm not aware of. Is anyone able to point me in the right direction?
########################################################
Update: I believe I found my answer here https://datatracker.ietf.org/doc/html/rfc7638#section-3.1
And I found my typo I my JWKS json file , 'cry' should be 'crv'.
Christian Paquin (May 25 2021 at 11:11):
Angus Millar said:
Update: I believe I found my answer here https://datatracker.ietf.org/doc/html/rfc7638#section-3.1
And I found my typo I my JWKS json file , 'cry' should be 'crv'.
Does that resolve the issue? If not, I can run your sample in the underlying validator tool, to get more details.
Angus Millar (May 25 2021 at 15:13):
Thanks for the offer @Christian Paquin , however it did resolve it, all good.
Last updated: Apr 12 2022 at 19:14 UTC
