Unable to verify client_assertion: no key found

Question

I am using the Singpass NdiOidcHelper (@govtechsg/singpass-myinfo-oidc-helper) library to handle Singpass login and token retrieval in my Node.js application. I have defined a keystore object with EC key parameters and used it to create a client assertion sign key. However, when I try to retrieve the token using the getTokens method, I am receiving an error "Unable to verify client_assertion: no key found".

Here is the keystore object and key object that I am using:

const keystore = {
    kty: 'EC',
    kid: 'gfU0OIt2KoTz8JIm6naqVsbyGUs8mtiMr_k5GnLPmxI',
    use: 'sig',
    alg: 'ES256',
    crv: "P-256",
    x  : "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
    y  : "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
    d  : "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk",
    e  : "AQAB",
}

const key = {
    "key": keystore,
    "format": 'json',
    "alg": 'ES256',
}

I am getting an error "Unable to verify client_assertion: no key found" when I make a request to the /assert API. Can someone please help me figure out what is wrong with my code?

Here is the code for handling Singpass login and token retrieval:

/login API:

app.get('/login', async (req, res) => {
  const state = Math.random().toString(36).substring(2);
  const redirectURL = await server.constructAuthorizationUrl(state, 'test')
  res.cookie('connect.sid', '').redirect(redirectURL)
})

/assert API:

app.get('/assert', async (req, res) => {
  const token = await server.getTokens(req.query.code)
  console.log('Token', token)
})

I am unsure if there is a problem with my key or if there is an error within the getTokens method. I have also attempted to use the mockpass well-known keys, but I am still encountering the same error. Any help in resolving this issue would be greatly appreciated.

Answer 1

You have to make sure the client_assertion is constructed properly with jose library otherwise you will always get that error :

Unable to verify client_assertion: no key found

So how to make sure it is properly constructed according to the documentation :

• Header (typ, alg, kid)
• Payload (sub, aud, iss, etc)
• Signature** (you need to sign with the correct private key)

If any of the values above isn't correct when you construct the client assertion JWT the error will occur.

**You mentioned that you "attempted to use the mockpass well-known keys" that is already wrong as you need to sign with the relying party (rp) in the oidc-v2-rp-secret.json