Skip to content

Diagnostic Questions

Before revealing the investigation path:

  1. 34% of login attempts fail with "unable to verify signature" but 66% succeed. The OIDC provider is up and issuing tokens. What could cause intermittent JWT validation failures?

  2. The error message says "x509: certificate has expired" — not "token has expired." What is the difference between a token's exp claim and the signing key's X.509 certificate validity? Why would the X.509 certificate matter for JWT validation?

  3. Keycloak has two signing keys: v1 (PASSIVE, expired cert) and v2 (ACTIVE, valid cert). Why do 34% of requests still use tokens signed with v1?

  4. The fix is to regenerate the X.509 wrapping certificate using AWS KMS. Why is this a cloud operation rather than a Keycloak (Kubernetes) or certificate authority (security) operation?

  5. What is the fundamental design flaw in this system? Should JWT signature verification depend on X.509 certificate validity? What alternative validation approach would avoid this category of failure?