Unable to authenticate the request" err="[invalid bearer token, oidc: verify token: oidc: id token signed with unsupported algorithm, expected "RS256" got "ES384"

[slavaGanzin]

Describe the issue

It's not a bug, but I've spent a couple of hours investigating, so I want to leave a trace. Hopefully, someone else will find this useful

To reproduce

cat /etc/systemd/system/k3s.service | grep kube-api

    --kube-apiserver-arg=oidc-issuer-url=https://XXX.logto.app/oidc \                                                                                                                                                                        
    --kube-apiserver-arg=oidc-client-id=XXX \                                                                                                                                                                                 
    --kube-apiserver-arg=oidc-groups-claim=roles \                                                                                                                                                                                              
    --kube-apiserver-arg=oidc-username-claim=sub   

kubectl oidc-login setup worked well and generated me this configuration:

	kubectl config set-credentials oidc \
	 --exec-api-version=client.authentication.k8s.io/v1beta1 \
	 --exec-command=kubectl \
	 --exec-arg=oidc-login \
	 --exec-arg=get-token \
	 --exec-arg=--oidc-issuer-url=https://XXX.logto.app/oidc \
	 --exec-arg=--oidc-client-id=XXX \
	 --exec-arg=--oidc-client-secret=XXX \
	 --exec-arg=--oidc-extra-scope=email \
	 --exec-arg=--oidc-extra-scope=roles \
	 --exec-arg=--oidc-extra-scope=urn:logto:scope:organization_roles \
	 --exec-arg=--oidc-extra-scope=urn:logto:scope:organizations \
	 --exec-arg=--oidc-use-pkce

And that silently does not work. I couldn't get any logs out of cidc-login, and I found something only in the k3s logs

$ kubectl --user=oidc get nodes
error: You must be logged in to the server (Unauthorized)

$ journalctl -fu k3s | grep oidc
Dec 31 12:30:01 hetzner2 k3s[3693765]: E1231 12:30:01.405868 3693765 authentication.go:73] "Unable to authenticate the request" err="[invalid bearer token, oidc: verify token: oidc: id token signed with unsupported algorithm, expected [\"RS256\"] got \"ES384\"]"

running setup with -v5 really helped:

kubectl oidc-login setup --oidc-issuer-url=https://XXX.logto.app/oidc --oidc-client-id=613cnvt4zdm0lopyo6tbj --oidc-client-secret=XXX --oidc-extra-scope="email,roles,urn:logto:scope:organization_roles,urn:logto:scope:organizations" --log_file=/tmp/oidc-login --oidc-use-pkce -v5

#Response from logto:
{"keys":[{"kty":"EC","use":"sig","kid":"XXX","alg":"ES384","crv":"P-384","x":"XXX","y":"XXX"}]}

I1231 12:31:30.755322   54007 browser.go:88] got a token set by the authorization code flow
I1231 12:31:30.755422   54007 browser.go:94] finished the authorization code flow via the browser

## 2. Verify authentication

So Logto uses ES384 to sign JWTs, but my k3s only accepts RS256, so I need to configure it

cat /etc/systemd/system/k3s.service | grep sign
    --kube-apiserver-arg=oidc-signing-algs=ES384

Would be great if oidc-login will check if token is accepted by k8s API Server

Thanks for the project and your time!

Your environment

• OS: Darwin m 24.2.0 Darwin Kernel Version 24.2.0
• k3s version v1.31.4+k3s1
• kubelogin version:v1.31.0
• kubectl version:
  Client Version: v1.31.2
  Kustomize Version: v5.4.2
  Server Version: v1.31.4+k3s1
• OpenID Connect provider: logto.io