I'm generating a JWT using google-auth-library-nodejs by providing the credentials through env variables, similar to the sample code from here.
const credentials = JSON.parse(JSON.stringify(env.service_account.credentials));
const client = auth.fromJSON(credentials);
const url = 'my_url';
const token = await client.fetchIdToken(url);
When using that token later on for authentication, the request fails because of the following error:
JWT validation failed: Could not find matching key in public key set for kid=7da7843e8637d669bc2a12622cede2a8814d11b1
https://jwt.io/#debugger-io confirms that the kid of the generated JWT is indeed 7da7843e8637d669bc2a12622cede2a8814d11b1, however, the private key id in the json is 6bd5b5d36f9a4225bd814ff3d6909d95e23e0793.
Here's the json
'{
"type": "service_account",
"project_id": "project_id",
"private_key_id": "6bd5b5d36f9a4225bd814ff3d6909d95e23e0793",
"private_key": "-----BEGIN PRIVATE KEY-----\nXXXXXXXXXXX\n-----END PRIVATE KEY-----\n",
"client_email": "my_service_account@project_id.iam.gserviceaccount.com",
"client_id": "REDACTED",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my_service_account%40project_id.iam.gserviceaccount.com"
}
Should the kid match the privat_key_id?
client_x509_cert_url provided in the question above was not the right x-google-jwks_uri. It actually has to be https://www.googleapis.com/oauth2/v1/certs.
After changing the URI, the kids match.
If anyone has a clue why that is, it would be much appreciated.