Gateway currently only retrieves one key at a time, through the /realm/redhat-external endpoint, which returns a non-determistic, single active key in the realm. During key rotation, a new active key is introduced, while the old one is still needed for prior signed access tokens. Because only one key is queried, when key lookup happens, we may end up using the new key (from the realm) for the old kid (in the request), if the old kid's key cache expires in this window.

Details:

Gateway is calling BOP to get the jwt cert through wrong path: https://gitlab.cee.redhat.com/insights-platform/backoffice-proxy/-/blob/master/config.js?ref_type=heads#L47

This path only returns a single active key in the realm (non deterministic).

Correct urls return all valid keys. See RBAC's token validation implementation for appropriate keyset handling: https://github.com/RedHatInsights/insights-rbac/blob/7ea57050b1f5539ff7c7eaac844a746f2ca56c96/rbac/management/authorization/token_validator.py#L85

JWKS URL

Prod

https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs

Stage

https://sso.stage.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs

QA

https://sso.qa.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs

Dev

https://sso.dev.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs

Gateway should get the correct certs based on the kid of the jwt instead of using a fixed one.