Problems when using Shibboleth as OIDC provider

[pizkaz]

Hello,

we got a problem when using Shibboleth IDP as an OIDC provider for Workadventure:
After some time (sometimes minutes, sometimes hours, in rare cases even days!) login starts failing with the following message:

workadventure-play-1  | An error occurred while connecting to OpenID Provider =>  RPError: failed to validate JWT signature
workadventure-play-1  |     at Client.validateJWT (/usr/src/node_modules/openid-client/lib/client.js:1055:11)
workadventure-play-1  |     at Client.validateIdToken (/usr/src/node_modules/openid-client/lib/client.js:745:49)
workadventure-play-1  |     at Client.callback (/usr/src/node_modules/openid-client/lib/client.js:488:7)
workadventure-play-1  |     at Route.handler (/usr/src/play/src/pusher/controllers/AuthenticateController.ts:252:28) {
workadventure-play-1  |   jwt: '<censored: JWT token data>'
workadventure-play-1  | }

Once this happens, no-one can log in until we restart the play container!

This is bad, obviously. Like "unusable" bad. Has anyone seen this as well?

Update:
After some time, Shibboleth IDP sends ID tokens with an invalid signature. The question is: Why? And especially: Why does it work again (for some time) after restarting the play container?

[moufmouf]

Mmmm.... extremely weird, indeed.
I've never used "Shibboleth IDP", so I'm really not sure.
It's not working even when you try to connect with another user?

[pizkaz]

No, once it breaks, it's broken for all users. And after restarting the play container it works again with all users.