JWKS is different when getting ID token from Metamask

vojta · March 15, 2023, 4:24pm

I am not sure how to verify ID token from Metamask.

When I log in with Metamask and I call web3auth.authenticateUser() to obtain the ID token. The metamask window pops up and after signing it I get the ID token. Unfortunaly the JWT token is encoded using the different JKWS, i.e. the kid is different then the one provided at https://api.openlogin.com/jwks.

The JWT from metamask account has the following header:

{
  "alg": "ES256",
  "typ": "JWT",
  "kid": "G6-iP7C_4NdppFwiEuckNCU_etFIVBBxxt4UH9cB9G0"
}

While the JWT from social account has the following header:

{
  "alg": "ES256",
  "typ": "JWT",
  "kid": "TYOgg_-5EOEblaY-VVRYqVaDAgptnfKV4535MZPC0w0"
}

Since I do not have key with this kid I am not able to verify the JWT token at the backend side.

shahbaz · March 16, 2023, 2:47am

Please see SSV for External Wallet here:

JWKS Endpoint for External wallets is https://authjs.web3auth.io/jwks

vojta · March 16, 2023, 8:35am

Thank you for fast reply, it works!

I was already at this page several times yesterday but didn’t notice that the JWKS URL is different. I started with the implementation of the social login and I was just adapting it so I wasn’t copy-pasting the code provided there. I was just looking what are the differences, but missed that one.

Please consider adding some highlight or warning to emphasize that the URL is different in this use case.

shayg · March 16, 2023, 6:09pm

+1 to that, I encountered the same issue and spent some time figuring this out myself

shahbaz · March 17, 2023, 3:08am

Thank you @shayg and @vojta, for reporting that.

Updated for both Social and External Wallet Logins, please take a look.

system · May 16, 2023, 3:08am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.