Google OIDC provider: can't verify JWT signature

[bpteague]

I'm having trouble using Google as an OpenID Connect provider. I've been debugging with client_example.php and poking around with Firebug, and it looks like things are getting hung up verifying the JWT signature: the exception I get is "Unable to verify signature."

Things I've checked:

• The code is finding the right key to check the signature with.
• If I disable the JWT signature check, everything else works fine
• The signature is valid if I verify with the tools at http://jwt.io, using the second certificate at
  https://www.googleapis.com/oauth2/v1/certs

FWIW, I'm using PHP 5.5.9 (Ubuntu Trusty up-to-date) with phpseclib 0.3.5. The bug persists with phpseclib 3.10 (the current version.)

I'm working on the "master" branch; branch jumbojett-patch-1 has bug in get_key_for_alg which always returns the first key in $keys.

Any clues?

[piersharding]

Hi -
are you using something like ? :

$oidc = new OpenIDConnectClient('https://accounts.google.com',
$pluginconfig->clientid,
$pluginconfig->secret);
$oidc->addScope(array("openid", "email", "profile"));
$oidc->authenticate();

Cheers ,
Piers Harding

[bpteague]

Yes, that's exactly the configuration I'm using. Everything works until the call to $rsa->verify(); and if I ignore the return value, everything works fine.

[cicalese]

I believe that I'm intermittently having the same issue, which I discussed at #28.

[bpteague]

I agree that it may be the same issue (though I've never seen the authentication go through.) I have the same problem with the MIT OIDC provider, which uses MITREid Connect: https://github.com/mitreid-connect/

[rasodu]

@bpteague Is this related to #83? If it is, then you can close the issue and join the discussion there. @screambeard has some suggestions to fix the error.