Getting 502 sometimes on login and always on logout

[chrisguen]

After changing the IdP domain I am getting a 502 after the redirection from Authentik with the link https://domain.tld/apps/user_oidc/sls?requesttoken=rjOEcLJdZwWVZWO36qJmrJn/xxxxxxxqt4avU%3D:y3LRQuocSGT3TlLbptgjxdvItdy0xxxBJLI%3D
but only sometimes on login, but i seem to be logged in because when I visit NC with the base url after that I am logged in.
But logging out always produces the 502 aswell.
The logs only show this
Fehler | user_oidc | Impossible to decode OIDC token:Error: kid must be provided in JWT header.
and
OC\Authentication\Exceptions\InvalidTokenException: Token does not exist: token does not exist

I am running NC with Authentik on another install and it is working flawlessly there. Any hints on getting it debugged further?
The console logs of Authentik and NC dont show anything interesting regarding this issue.

[nevaforget]

I do have a similiar issue. NC + Authentik. It worked once, but just stopped. Login not possible. Evertime Authentik redirect to NC I get an internal error:

Type: Exception
Code: 0
Message: Error: kid must be provided in JWT header.
File: /var/www/html/custom_apps/user_oidc/lib/Service/DiscoveryService.php
Line: 154

[chrisguen]

A workaround which worked for me was unchecking "send ID token hint on logout" no more browser error for whatever reason. On another install it works flawlessly with the box checked.

[nevaforget]

I already unchecked that option. Toggling has no effect either.

[diegobrandao]

I am getting the same issue, and it is consistent. I am unable to log in. Any other workaround?

[julien-nc]

This issue is a bit difficult to reproduce for me as it requires a setup with Authentik.

You could try to edit line 155 of apps/user_oidc/lib/Service/DiscoveryService.php from

throw new \Exception('Error: kid must be provided in JWT header.');

to

$this->logger->warning('kid is not provided in JWT header');
return $jwks;

To give a bit more context: the Firebase/JWT library used by user_oidc was complaining (crashing 😁) when decoding a JWT token because it didn't know the encryption algorithm of the JWK (encryption key provided by the discovery endpoint).

Information contained in the JWT token:

• kid: id of the JWK to use to decode
• alg: algorithm used to encrypt the token

So the fix we implemented was to set the missing JWK alg to the value used in the JWT token. The library was then happy and could decode the token.
Problem is in your case: the token does not provide a kid so we can't know which key should be used to decode it so we can't try to fix this key.

I guess this logic is a bit broken since the kid is not needed in the token if the JWKs are not broken. Let's find out if it works when the kid is not mandatory anymore (the change I suggested).

[EuleMitKeule]

@julien-nc

I have the same problem and changed DiscoveryService.php as you suggested. Now I get this error instead:
UnexpectedValueException "keys" member must exist in the JWK Set