APIcast is unable to validate JWT token if the content-type of jwks_uri isn't "application/json"

Solution Verified - Updated -

Issue

  • APIcast is unable to validate JWT token, it logs No trusted certs loaded.

    2021/01/01 00:00:00 [debug] 19#19: *45402 oidc.lua:191: verify(): [jwt] failed verification for token, reason: No trusted certs loaded, requestID=xxxxx
    2021/01/01 00:00:00 [debug] 19#19: *45402 proxy.lua:280: rewrite(): oauth failed with No trusted certs loaded, requestID=xxxxx
    

    However, my JWKS is reachable from the apicast.

    sh-4.4$ curl -v https://sso.example.com/jwks.json
    ....
    < HTTP/1.1 200 200
    < Date: Mon, 01 Jan 2021 00:00:00 GMT
    < Server: Apache
    < Access-Control-Allow-Origin: *
    < Access-Control-Allow-Credentials: true
    < Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With
    < Access-Control-Allow-Methods: GET,POST,OPTIONS
    < Cache-Control: no-store
    < Pragma: no-cache
    < Content-Length: 900
    < Content-Type: application/jwk-set+json;charset=UTF-8
    < 
    * Connection #0 to host sso.example.com left intact
    {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"......
    

Environment

  • Red Hat 3scale API Management 2.9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content