What is the bug?
The jwt authenticator with jwks_uri fails when the JWKS endpoint returns EC (ECDSA) keys. The
JwtVerifier.getInitializedSignatureVerifier() method assumes all non-HMAC keys are RSA, causing a ClassCastException.
[2026-03-30T04:27:36,950][DEBUG][o.o.s.a.BackendRegistry ] [osearch-store-client-49c5] 'java.lang.ClassCastException: class com.nimbusds.jose.jwk.ECKey cannot be cast to class com.nimbusds.jose.jwk.RSAKey (com.nimbusds.jose.jwk.ECKey and com.nimbusds.jose.jwk.RSAKey are in unnamed module of loader java.net.URLClassLoader @25ae1f80)' extracting credentials from jwt http authenticator
java.lang.ClassCastException: class com.nimbusds.jose.jwk.ECKey cannot be cast to class com.nimbusds.jose.jwk.RSAKey (com.nimbusds.jose.jwk.ECKey and com.nimbusds.jose.jwk.RSAKey are in unnamed module of loader java.net.URLClassLoader @25ae1f80)
at com.nimbusds.jose.jwk.JWK.toRSAKey(JWK.java:637)
at org.opensearch.security.auth.http.jwt.keybyoidc.JwtVerifier.getInitializedSignatureVerifier(JwtVerifier.java:110)
at org.opensearch.security.auth.http.jwt.keybyoidc.JwtVerifier.getVerifiedJwtToken(JwtVerifier.java:65)
at org.opensearch.security.auth.http.jwt.AbstractHTTPJwtAuthenticator.extractCredentials0(AbstractHTTPJwtAuthenticator.java:117)
at org.opensearch.security.auth.http.jwt.AbstractHTTPJwtAuthenticator.lambda$extractCredentials$0(AbstractHTTPJwtAuthenticator.java:100)
at org.opensearch.secure_sm.AccessController.doPrivileged(AccessController.java:76)
at org.opensearch.security.auth.http.jwt.AbstractHTTPJwtAuthenticator.extractCredentials(AbstractHTTPJwtAuthenticator.java:100)
at org.opensearch.security.auth.http.jwt.keybyjwks.HTTPJwtKeyByJWKSAuthenticator.extractCredentials(HTTPJwtKeyByJWKSAuthenticator.java:138)
...
How can one reproduce the bug?
- Configure a JWT auth domain with jwks_uri pointing to a JWKS endpoint that serves EC P-256 keys:
jwt_auth_domain:
http_enabled: true
http_authenticator:
type: jwt
config:
jwks_uri: "https://example.com/.well-known/jwks.json"
jwt_header: "custom-jwt-header"
subject_key: "username"
roles_key: "roles"
authentication_backend:
type: noop
- Send a request with a JWT signed with ES256 (EC P-256)
What is the expected behavior?
JWT is verified using the EC public key from the JWKS endpoint.
What is your host/environment?
- OS: Debian 12.13
- Version [3.5.0]
- Plugins
Do you have any additional context?
It seems that in JwtVerifier.java lines 107-112:
if (key.getClass() == OctetSequenceKey.class) {
result = new DefaultJWSVerifierFactory().createJWSVerifier(jwt.getHeader(), key.toOctetSequenceKey().toSecretKey());
} else {
result = new DefaultJWSVerifierFactory().createJWSVerifier(jwt.getHeader(), key.toRSAKey().toRSAPublicKey());
}
hte else branch unconditionally calls key.toRSAKey() for all non-HMAC keys, including EC keys when it should be calling the key.toECKey().toECPublicKey()) on ECkey detection.
What is the bug?
The jwt authenticator with jwks_uri fails when the JWKS endpoint returns EC (ECDSA) keys. The
JwtVerifier.getInitializedSignatureVerifier() method assumes all non-HMAC keys are RSA, causing a ClassCastException.
How can one reproduce the bug?
What is the expected behavior?
JWT is verified using the EC public key from the JWKS endpoint.
What is your host/environment?
Do you have any additional context?
It seems that in JwtVerifier.java lines 107-112:
hte else branch unconditionally calls key.toRSAKey() for all non-HMAC keys, including EC keys when it should be calling the
key.toECKey().toECPublicKey())on ECkey detection.