JWT auth fails after EKS OIDC provider's key rotation #11611
Comments
|
Thanks for this report! We're aware of the issue and are preparing a dependency update. cc: @austingebauer |
This was referenced Jun 4, 2021
|
Hi, @yuchun0228. We've updated the underlying go-oidc library version to address this issue. It will land in the 1.7.3 release of Vault. Thank you again for the report. Closing this issue now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We use EKS Service Account Token to login in Vault. The login fails after key rotation at EKS OIDC provider with message:
“* error validating token: error verifying token signature: failed to verify id token signature”
I tried to debug and found Vault is using an older version (v2.2.1) of go-oidc library which contains a bug regarding key rotation strategy that has been solved in v3.0.0.
Without the fix, since EKS OIDC provider returns "cache-control: max-age=604800" in the http header, go-oidc sets 7 days expiration for each remoteKeySet and does NOT fetch keys even if cannot find a key in the remoteKeySet.
Please upgrade the depended go-oidc version.
The text was updated successfully, but these errors were encountered: