1

I am using the Singpass NdiOidcHelper (@govtechsg/singpass-myinfo-oidc-helper) library to handle Singpass login and token retrieval in my Node.js application. I have defined a keystore object with EC key parameters and used it to create a client assertion sign key. However, when I try to retrieve the token using the getTokens method, I am receiving an error "Unable to verify client_assertion: no key found".

Here is the keystore object and key object that I am using:

const keystore = {
    kty: 'EC',
    kid: 'gfU0OIt2KoTz8JIm6naqVsbyGUs8mtiMr_k5GnLPmxI',
    use: 'sig',
    alg: 'ES256',
    crv: "P-256",
    x  : "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
    y  : "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
    d  : "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk",
    e  : "AQAB",
}

const key = {
    "key": keystore,
    "format": 'json',
    "alg": 'ES256',
}

I am getting an error "Unable to verify client_assertion: no key found" when I make a request to the /assert API. Can someone please help me figure out what is wrong with my code?

Here is the code for handling Singpass login and token retrieval:

/login API:

app.get('/login', async (req, res) => {
  const state = Math.random().toString(36).substring(2);
  const redirectURL = await server.constructAuthorizationUrl(state, 'test')
  res.cookie('connect.sid', '').redirect(redirectURL)
})

/assert API:

app.get('/assert', async (req, res) => {
  const token = await server.getTokens(req.query.code)
  console.log('Token', token)
})

I am unsure if there is a problem with my key or if there is an error within the getTokens method. I have also attempted to use the mockpass well-known keys, but I am still encountering the same error. Any help in resolving this issue would be greatly appreciated.

Ritik Jain
  • 21
  • 5
  • Get rid of the JSON.Parse, since the key parameter is meant to be a string. Also, is the corresponding public key, with the same `kid` value, registered in a JWKS URI? The error message suggests it is not. You should also update your question with which helper library you are using, the code to call it, and the parameters you pass to its constructor. – Gary Archer Mar 29 '23 at 19:35
  • using ```singpass-myinfo-oidc-helper``` helper library – Ritik Jain Mar 30 '23 at 03:52

1 Answers1

0

You have to make sure the client_assertion is constructed properly with jose library otherwise you will always get that error :

Unable to verify client_assertion: no key found

So how to make sure it is properly constructed according to the documentation :

  • Header (typ, alg, kid)
  • Payload (sub, aud, iss, etc)
  • Signature** (you need to sign with the correct private key)

If any of the values above isn't correct when you construct the client assertion JWT the error will occur.

**You mentioned that you "attempted to use the mockpass well-known keys" that is already wrong as you need to sign with the relying party (rp) in the oidc-v2-rp-secret.json

compski
  • 709
  • 3
  • 13
  • 28