Jwks_username_field variable not working as intended

Help Security
1

I am working on an experiment on localhost with JWT Authentication.
I set the ‘jwks_endpoint’ and ‘jwks_username_field’ as mentioned in the docs. (The picture below shows my current config)

jwks_config
jwks_config687×508 29.5 KB

I can retrieve tokens from the JWKS endpoint using Postman. I tried to use the token to authenticate the Data API request but apparently, the SingleStore instance does not recognize my ‘jwks_username_field’ config and uses the username in the ‘sub’ field of my JWT. (The picture below shows my Postman attempt)
postman_call
postman_call1142×596 49.8 KB

My token body is as follows.

{
  "realmName": "cloudIdentityRealm",
  "preferred_username": "jwt_user",
  "acr": "urn:ibm:security:policy:id:1",
  "userType": "regular",
  "uniqueSecurityName": "643002D3K3",
  "auth_time": 1700619543,
  "jti": "zGJ0TkumCrUzTALgUN65wyHA4yYMjI",
  "at_hash": "3Bxelkc9b9Tc33ACX5sw9g",
  "amr": [
    "password"
  ],
  "ext": {
    "tenantId": "singlestore.verify.ibm.com"
  },
  "iss": "https://singlestore.verify.ibm.com/oidc/endpoint/default",
  "aud": "c30ae195-5065-4bb6-a915-51a9b2a034e5",
  "sub": "643002D3K3",
  "iat": 1700619544,
  "exp": 1700626744
}

I am sure that my JWT token is correctly validated against JWKS endpoint (using online verify tools JSON Web Token Verifier (davetonge.co.uk). Please tell me what I am doing wrong?
Thank you in advance.

2

Try these approaches and still facing the same error, please let us know.

Can you please double-check that the jwks_username_field global variable is set to the correct field name that you expect to use as the username in your JWT. You can verify the current setting with the following command:
SHOW GLOBAL VARIABLES LIKE 'jwks_username_field';

Make sure that the JWT you are using contains the field specified by jwks_username_field and that it matches the username of an existing user in the database.

Can you also ensure your JWKS endpoint is configured properly and accessible by SingleStore? The JWKS must list the key used to sign the JWT for successful authentication.
You can check the JWKS update status with the following command:

SHOW STATUS EXTENDED LIKE 'JWKS_update%';