Hi team, I encountered the following error when using datahub to integrate internal OIDC authentication (casdoor)

2023-06-21 07:20:39,669 [main] DEBUG c.l.r.t.h.client.HttpClientFactory - Getting a client with configuration {http.requestTimeout=10000} and SSLContext null
2023-06-21 07:25:44,463 [main] DEBUG c.l.r.t.h.client.HttpClientFactory - Getting a client with configuration {http.requestTimeout=10000} and SSLContext null
2023-06-21 07:26:36,421 [application-akka.actor.default-dispatcher-5] DEBUG o.p.o.r.OidcRedirectionActionBuilder - Authentication request url: <https://oauth.xxxxxxxxx.com/login/oauth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fryze.xxxxxxxxx.com%2Fcallback%2Foidc&state=cc3057c1b5&client_id=9adee1dabf3114a5c1fa&scope=openid+profile+email>
2023-06-21 07:26:36,421 [application-akka.actor.default-dispatcher-11] DEBUG o.p.o.r.OidcRedirectionActionBuilder - Authentication request url: <https://oauth.xxxxxxxxx.com/login/oauth/authorize?response_type=code&redirect_uri=https%3A%2F%2Fryze.xxxxxxxxx.com%2Fcallback%2Foidc&state=82781feca7&client_id=9adee1dabf3114a5c1fa&scope=openid+profile+email>
2023-06-21 07:26:36,425 [application-akka.actor.default-dispatcher-5] DEBUG o.p.play.http.PlayHttpActionAdapter - requires HTTP action: 302
2023-06-21 07:26:36,425 [application-akka.actor.default-dispatcher-11] DEBUG o.p.play.http.PlayHttpActionAdapter - requires HTTP action: 302
2023-06-21 07:26:40,881 [application-akka.actor.default-dispatcher-16] DEBUG o.p.core.engine.DefaultCallbackLogic - === CALLBACK ===
2023-06-21 07:26:40,882 [application-akka.actor.default-dispatcher-16] DEBUG o.p.c.c.f.DefaultCallbackClientFinder - result: [oidc]
2023-06-21 07:26:40,882 [application-akka.actor.default-dispatcher-16] DEBUG o.p.core.engine.DefaultCallbackLogic - foundClient: #CustomOidcClient# | name: oidc | callbackUrl: <https://ryze.xxxxxxxxx.com/callback> | callbackUrlResolver: org.pac4j.core.http.callback.PathParameterCallbackUrlResolver@9b900f6 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@68ed440d | redirectionActionBuilder: org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@4a2139e5 | credentialsExtractor: org.pac4j.oidc.credentials.extractor.OidcExtractor@73aaaf8 | authenticator: auth.sso.oidc.custom.CustomOidcAuthenticator@46c5a459 | profileCreator: org.pac4j.oidc.profile.creator.OidcProfileCreator@448a4da0 | logoutActionBuilder: org.pac4j.oidc.logout.OidcLogoutActionBuilder@7a7aac5 | authorizationGenerators: [auth.sso.oidc.OidcAuthorizationGenerator@5518ada3] | configuration: #OidcConfiguration# | clientId: 9adee1dabf3114a5c1fa | secret: [protected] | discoveryURI: <https://oauth.xxxxxxxxx.com/.well-known/openid-configuration> | scope: openid profile email | customParams: {} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxAge: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@3e943c35 | responseType: code | responseMode: null | logoutUrl: null | withState: true | stateGenerator: org.pac4j.core.util.generator.RandomValueGenerator@28e5810a | logoutHandler: #DefaultLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | tokenValidator: null | allowUnsignedIdTokens: false | |
2023-06-21 07:26:40,888 [application-akka.actor.default-dispatcher-16] DEBUG o.p.o.c.extractor.OidcExtractor - Authentication response successful
2023-06-21 07:26:40,890 [application-akka.actor.default-dispatcher-16] DEBUG o.p.o.c.extractor.OidcExtractor - Request state: 82781feca7/response state: 82781feca7
2023-06-21 07:26:41,589 [application-akka.actor.default-dispatcher-16] DEBUG o.p.o.c.a.OidcAuthenticator - Token response: status=200, content={
  "access_token": "**********",
  "id_token": "**********",
  "refresh_token": "##########",
  "token_type": "Bearer",
  "expires_in": 86400,
  "scope": "openid profile email"
}

2023-06-21 07:26:41,607 [application-akka.actor.default-dispatcher-16] DEBUG o.p.o.c.a.OidcAuthenticator - Token response successful
2023-06-21 07:26:41,607 [application-akka.actor.default-dispatcher-16] DEBUG a.sso.oidc.custom.CustomOidcClient - Credentials validation took: 715 ms
2023-06-21 07:26:41,607 [application-akka.actor.default-dispatcher-16] DEBUG a.sso.oidc.custom.CustomOidcClient - clean authentication attempt
2023-06-21 07:26:41,608 [application-akka.actor.default-dispatcher-16] DEBUG o.p.core.engine.DefaultCallbackLogic - credentials: Optional[#OidcCredentials# | code: a4cc76bff8c86976dfcf | accessToken: ********** | refreshToken: ########## | idToken: com.nimbusds.jwt.SignedJWT@25dfc0a7 |]
2023-06-21 07:26:41,609 [application-akka.actor.default-dispatcher-16] DEBUG a.sso.oidc.custom.CustomOidcClient - credentials : #OidcCredentials# | code: a4cc76bff8c86976dfcf | accessToken: ********** | refreshToken: ########## | idToken: com.nimbusds.jwt.SignedJWT@25dfc0a7 |
2023-06-21 07:26:41,610 [application-akka.actor.default-dispatcher-16] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: access_token / value: ********** / class com.nimbusds.oauth2.sdk.token.BearerAccessToken
2023-06-21 07:26:41,610 [application-akka.actor.default-dispatcher-16] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: expiration / value: Thu Jun 22 07:26:41 GMT 2023 / class java.util.Date
2023-06-21 07:26:41,611 [application-akka.actor.default-dispatcher-16] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: id_token / value: ********** / class java.lang.String
2023-06-21 07:26:41,611 [application-akka.actor.default-dispatcher-16] DEBUG org.pac4j.oidc.profile.OidcProfile - adding => key: refresh_token / value: ########## / class com.nimbusds.oauth2.sdk.token.RefreshToken
2023-06-21 07:26:41,611 [application-akka.actor.default-dispatcher-16] DEBUG o.p.o.p.creator.OidcProfileCreator - Refresh Token successful retrieved
2023-06-21 07:26:42,520 [application-akka.actor.default-dispatcher-16] DEBUG o.p.o.profile.creator.TokenValidator - Validation fails with: {}
com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
        at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:384)
        at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:288)
        at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:224)
        at org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:103)
        at org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:93)
        at org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:45)
        at org.pac4j.core.client.BaseClient.retrieveUserProfile(BaseClient.java:119)
        at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:99)
        at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:88)
        at auth.sso.oidc.OidcCallbackLogic.perform(OidcCallbackLogic.java:100)
        at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:91)
        at controllers.SsoCallbackController$SsoCallbackLogic.perform(SsoCallbackController.java:77)
        at org.pac4j.play.CallbackController.lambda$callback$0(CallbackController.java:54)
        at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1700)
        at play.core.j.HttpExecutionContext.$anonfun$execute$1(HttpExecutionContext.scala:64)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:49)
        at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:48)
        at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290)
        at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1020)
        at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1656)
        at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1594)
        at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:183)

Hi, could you elaborate on your situation? what errors/bugs are you encountering excatly?

@delightful-ram-75848 Hi, We are using docker to deploy datahub and want to integrate the company's login service (OIDC). We use the following configuration in the docker-compose.yml file:

datahub-frontend-react:
    container_name: datahub-frontend-react
    depends_on:
      - datahub-gms
    environment:
      - AUTH_OIDC_ENABLED=true
      - AUTH_OIDC_USER_NAME_CLAIM=preferred_username
      - AUTH_OIDC_CLIENT_ID=${AUTH_OIDC_CLIENT_ID}
      - AUTH_OIDC_CLIENT_SECRET=${AUTH_OIDC_CLIENT_SECRET}
      - AUTH_OIDC_DISCOVERY_URI=<https://oauth>.*******.com/.well-known/openid-configuration
      - AUTH_OIDC_BASE_URL=${AUTH_OIDC_BASE_URL}
      - AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD=RS256
      - AUTH_OIDC_PREFERRED_JWS_ALGORITHM=client_secret_post

Then when logging in, the page will prompt an error:

Failed to sign in using Single Sign-On provider. Please try again, or contact your DataHub Administrator.

The background of datahub-frontend-react will print the exception information in the above post

Hi both! Did you manage to find a solution to the above problem? We're facing simial