OIDC Authentication with IBM WebSEAL - "Not an RSA key" Error" (with solution)

[AAGRusso]

We have configured Timesketch to use Single Sign-On via OIDC with IBM WebSEAL as the Identity Provider using the following configuration:

GOOGLE_OIDC_ENABLED = True
GOOGLE_OIDC_AUTH_URL = "https://webseal/oauth/oauth20/authorize"
GOOGLE_OIDC_DISCOVERY_URL = "https://webseal/.well-known/openid-configuration"
GOOGLE_OIDC_ALGORITHM = "RS256"
GOOGLE_OIDC_CLIENT_ID = "******************"
GOOGLE_OIDC_CLIENT_SECRET = "***************"
GOOGLE_OIDC_API_CLIENT_IDS = []
GOOGLE_OIDC_HOSTED_DOMAIN = None
GOOGLE_OIDC_API_ALLOWED_DOMAINS = []
GOOGLE_OIDC_ALLOWED_USERS = []

The jwks_uri JSON returned by WebSEAL includes multiple RSA keys, but also one EC key. This causes Timesketch to throw the following error:

Not an RSA key

Upon inspecting the google_auth.py file, we found the following logic:

for key_dict in keys_json["keys"]:
    public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(key_dict))
    _new_keys_dict[key_dict["kid"]] = public_key

When an EC key is encountered, jwt.algorithms.RSAAlgorithm.from_jwk() fails because it expects only RSA keys.

To fix this, we modified the code by wrapping the call in a try block to skip keys that are not RSA:

for key_dict in keys_json["keys"]:
    try:
        public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(key_dict))
        _new_keys_dict[key_dict["kid"]] = public_key
    except Exception as e:
        print(f"[ERROR] Error processing key ID {key_dict['kid']}: {e}")

This change allows Timesketch to ignore non-RSA keys in the JWKS response and complete the SSO process successfully.

[jaegeral]

nice, would you consider to make a code contribution for this=?

[AAGRusso]

I have never made a code contribution on github, I will give it a try.