Error after 4.0.1 release -JsonWebTokenError: secret or public key must be provided

[NickVanderPyle]

Started getting this error after 4.0.1 was released. Error was not present with 4.0.0.
App has a direct dependency on latest @ibm-cloud/platform-services which has a dependency on this project.

Error: JsonWebTokenError: secret or public key must be provided
    at IamTokenManager.JwtTokenManager.saveTokenInfo (/app/node_modules/ibm-cloud-sdk-core/auth/token-managers/jwt-token-manager.js:111:19)
    at IamTokenManager.IamRequestBasedTokenManager.saveTokenInfo (/app/node_modules/ibm-cloud-sdk-core/auth/token-managers/iam-request-based-token-manager.js:137:40)
    at /app/node_modules/ibm-cloud-sdk-core/auth/token-managers/token-manager.js:109:19
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)

[dpopp07]

This seems to be happening because the IAM service is returning JWTs with invalid signatures, which the previous (and insecure) version of jsonwebtoken was fine with. 4.0.1 pushed a security fix that is causing this logic to fail. I'm going to see if there is a workaround or something we need to fix on our end

[TannerS]

Just reading " IAM service is returning JWTs with invalid signatures" sounds suspicious lol

[dpopp07]

Just reading " IAM service is returning JWTs with invalid signatures" sounds suspicious lol

Agreed, but I may have misinterpreted something. I need to follow up with the IAM folks on this. It seems that having the user configure a public key is not a typical part of the workflow but JWT "verify" requires the client perform validation on the token with a public key to ensure it matches the key used to create the token.

All that said, we were never using the JWT package for client-side validation, only to decode the token to determine the expiration time, etc. So reverting back to the old "decode" logic should be fine, which I did in this PR.

I misunderstood the motivation to migrate to "verify" and didn't test it well enough, so I apologize for the inconvenience this caused. It should be resolved shortly!

[TannerS]

Thank you when this gets released can you notify the app configuration team in that slack thread so they can fix it on their end as well thank you man Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Dustin Popp ***@***.***> Sent: Friday, December 30, 2022 10:24:38 AM To: IBM/node-sdk-core ***@***.***> Cc: Tanner Summers ***@***.***>; Manual ***@***.***> Subject: Re: [IBM/node-sdk-core] Error after 4.0.1 release -JsonWebTokenError: secret or public key must be provided (Issue #226) Just reading " IAM service is returning JWTs with invalid signatures" sounds suspicious lol Agreed, but I may have misinterpreted something. I need to follow up with the IAM folks on this. It seems that having the user configure a public key is not a typical part of the workflow but JWT "verify" requires the client perform validation on the token with a public key to ensure it matches the key used to create the token. All that said, we were never using the JWT package for client-side validation, only to decode the token to determine the expiration time, etc. So reverting back to the old "decode" logic should be fine, which I did in this PR<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FIBM%2Fnode-sdk-core%2Fpull%2F227&data=05%7C01%7C%7Ca64d8669e00a49c96fb708daea8258eb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638080142801695712%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vE7GTrSwk6HdwouNSHu%2Fj0sAckyVBs9WleNd7IMmXnQ%3D&reserved=0>. I misunderstood the motivation to migrate to "verify" and didn't test it well enough, so I apologize for the inconvenience this caused. It should be resolved shortly! — Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FIBM%2Fnode-sdk-core%2Fissues%2F226%23issuecomment-1367994735&data=05%7C01%7C%7Ca64d8669e00a49c96fb708daea8258eb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638080142801695712%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KOkZqE9udJHoL7a0BX75%2BMTpWk14ZWrNycnDMgq6OgU%3D&reserved=0>, or unsubscribe<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACDUUD7QBYSSHVDWT2POYCDWP4EENANCNFSM6AAAAAATM5HYBI&data=05%7C01%7C%7Ca64d8669e00a49c96fb708daea8258eb%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638080142801695712%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1XR84CCpBobMMR0R8%2BcGUHqGPjGEnNOMisyhYkXLYIk%3D&reserved=0>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[dpopp07]

Resolved with #227