Identical JWKs, but not really
August 05, 2025
A long time ago I was working on a OAuth server framework, and we had an odd help ticket. A team was attempting to update a Apollo GraphQL setup, to accept our access tokens for auth. This was not working.
We already had numerous node implementations using these tokens, sucessfully validating them. And that’s what I told them when I said that if this plugin was failing to validate the token, it was something it was doing wrong.
It was a bit of a black box so we were struggling to debug it, then the engineer who raised the issue did something new. They wrote an implementation in Rust to verify the token. It also failed. Well, I looked over it and it was a correct implementation. It failed on verifying the signature of the token just like the Apollo plugin. This could not be right, it’s pretty simple, read the JWK and verify the token. Well the same inputs work on Node implementations.. but not Rust? Something was off.
After some standard log debugging we found that the ASCII representation of the key the Rust implementation was getting was entirely different. How can this be? It’s grabbed from a JWKs endpoint, a single source of truth. But two different keys.
Let’s look at the binary representation of those keys
00000000111011111011111110111101001111001110
0111011111011111110111101001111001110
That’s not so different now is it. Padding, almost identical binary but entirely different ASCII representation. Once I knew it was padding it was easy to search for.
https://github.com/OADA/rsa-pem-to-jwk/issues/1
Maybe we shouldn’t use some obscure and abandoned library to convert our PEMs to JWKs?
Anyway, padding SHOULD be removed is the language in the spec. Maybe this would have been avoided if it MUST be removed. SHOULD is optional, but confusing. So some languages do not ignore this padding (like Rust). Some browser even do this differently in the same language (or did).
The fix was to change how we converted, to strip the leading zeros. This was all it was, a couple of zeros.