Get 500 'The error is unrecognizable' when trying to establish a trust relationship for a JWT issuer #310
Description
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Network project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe the bug
We use OAuth2Api.trustOAuth2JwtGrantIssuer method from @ory/client SDK to establish a trust relationship for a JWT issuer to perform JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants RFC7523.
We already have 2 trusted relationships established using this flow, but now this flow fails and we see from our service logs that the request to Ory fails with status code 500.
"message": "Request failed with status code 500",
"config": {
"url": "https://{project}.projects.oryapis.com/admin/trust/grants/jwt-bearer/issuers",
"method": "post",
"data": "{\"allow_any_subject\":true,\"expires_at\":\"2033-06-23T18:58:33.762Z\",\"issuer\":\"https://{our-issuer}\",\"scope\":[\"openid\",\"offline_access\"],\"jwk\":{\"kid\":\"00df2246-9777-41f9-ab9c-431dcc8ab725\",\"alg\":\"ES256\",\"use\":\"sig\",\"kty\":\"EC\",\"crv\":\"secp256k1\",\"x\":\"TfERtUKAHBuDGOg2j_Yub1SSQsrCyzZvnsSzkhRwmME\",\"y\":\"ACoPiVdJpBKQ6nVylA6TBGw7mkwXR7bFtWqJ2iCVtW8\"}}",
"headers": {
"Accept": "application/json, text/plain, */*",
"Content-Type": "application/json",
"Authorization": "Bearer {ory-pat}",
...
},
}
Trying to send a request with the same body directly to Ory API by Postman leads to the same error:
Reproducing the bug
- Create Ory Network Authorization Server
- Try to establish a trust relationship for a JWT issuer to perform JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants RFC7523:
- using @ory/client SDK
import { Configuration, OAuth2Api } from '@ory/client'
oAuth2Api = new OAuth2Api(
new Configuration({
basePath: `https://${project}.projects.oryapis.com`,
accessToken:`${ory-pat}`,
}),
undefined
)
const trustOAuth2JwtGrantIssuer = {
allow_any_subject: true,
expires_at: '2033-06-23T18:58:33.762Z',
issuer: `https://${our-issuer}`,
scope: ["openid","offline_access"],
jwk: {
"kid": "00df2246-9777-41f9-ab9c-431dcc8ab725",
"alg": "ES256K",
"use": "sig",
"kty": "EC",
"crv": "secp256k1",
"x": "TfERtUKAHBuDGOg2j_Yub1SSQsrCyzZvnsSzkhRwmME",
"y": "ACoPiVdJpBKQ6nVylA6TBGw7mkwXR7bFtWqJ2iCVtW8"
},
}
await oAuth2Api.trustOAuth2JwtGrantIssuer({
trustOAuth2JwtGrantIssuer,
})
- using Ory API
url: https://{project}.projects.oryapis.com/admin/trust/grants/jwt-bearer/issuers
method: POST
headers:
{
"Accept": "application/json, text/plain, */*",
"Content-Type": "application/json",
"Authorization": "Bearer {ory-pat}",
}
body:
{
"allow_any_subject": true,
"expires_at": "2033-06-23T18:58:33.762Z",
"issuer": "https://{our-issuer}",
"scope": [
"openid",
"offline_access"
],
"jwk": {
"kid": "00df2246-9777-41f9-ab9c-431dcc8ab725",
"alg": "ES256K",
"use": "sig",
"kty": "EC",
"crv": "secp256k1",
"x": "TfERtUKAHBuDGOg2j_Yub1SSQsrCyzZvnsSzkhRwmME",
"y": "ACoPiVdJpBKQ6nVylA6TBGw7mkwXR7bFtWqJ2iCVtW8"
}
}
Relevant log output
No response
Relevant configuration
No response
Version
Ory Network, @ory/client v1.1.39
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
Ory Network
Additional Context
No response