JsonWebTokenError: error in secret or public key callback: socket hang up - jwks-rsa

konrad.sopala · June 19, 2023, 9:44am

Problem statement

We have been encountering these intermittent errors for accessing https://TENANT_DOMAIN/.well-known/jwks.json.

JsonWebTokenError: error in secret or public key callback: socket hang up

These errors also happen across other tenants. I saw other users having the same issues in this thread:

What is causing these errors?

Cause

For Node JS based, the error occurs when a ECONNRESET is thrown:

github.com

nodejs/node-v0.x-archive/blob/ba048e72b02e17f0c73e0dcb7d37e76a03327c5a/lib/_http_client.js#L164


      
              this.socket.destroy();
            } else {
              // haven't been assigned a socket yet.
              // this could be more efficient, it could
              // remove itself from the pending requests
              this._deferToConnect('destroy', []);
            }
          };
          
          
          function createHangUpError() {
            var error = new Error('socket hang up');
            error.code = 'ECONNRESET';
            return error;
          }
          
          
          function socketCloseListener() {
            var socket = this;
            var parser = socket.parser;
            var req = socket._httpMessage;

This is because the server closed the socket before the client did (TCP level), usually because the client is reusing sockets to make requests, and unfortunately times the request with the socket closing.

Solution

In this case caching should be used:

github.com

auth0/node-jwks-rsa/blob/master/EXAMPLES.md#caching

# Examples

- [Integrations](#integrations)
- [Configuration](#configuration)
- [Caching](#caching)
- [Rate Limiting](#rate-limiting)
- [Using Request Agent for TLS/SSL Configuration](#using-request-agent-for-tlsssl-configuration)
- [Proxy Configuration](#proxy-configuration)
- [Loading keys from local file, environment variable, or other externals](#loading-keys-from-local-file-environment-variable-or-other-externals)
- [Showing Trace Logs](#showing-trace-logs)

## Integrations

This repository holds a number of example integrations found in the [examples](./examples/) folder.

- [express/express-jwt](examples/express-demo)
- [express/passport-jwt](examples/passport-demo)
- [hapi/hapi-auth-jwt2](examples/hapi-demo)
- [koa/koa-jwt](examples/koa-demo)

This file has been truncated. show original

This should reduce the chance a socket is reused by reducing the number of requests being made in general - signing keys should only change when a tenant admin rotates them or in the unlikely event that Auth0 has to rotate a compromised private key and notify the impacted customer. Thus the keys can be cached for long periods. If there is an error, then the jwks.json endpoint can be called to check the cache is updated.