WebBotAuth.net

Directory body is valid JSON

The directory response body must parse as JSON before any key-set check can run.

What this check verifies

This check confirms the directory response body parses as JSON. It is the first thing the checker does with the body, before it looks for a keys array or inspects any key. If the body does not parse, this check fails and the remaining directory checks do not run, because there is no structured document to read.

A directory is a JSON document, defined as a JSON Web Key Set in RFC 7517:

{
  "keys": [
    { "kty": "OKP", "crv": "Ed25519", "x": "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo", "kid": "..." }
  ]
}

Why it matters

Everything a verifier needs from the directory lives in this JSON: the key type, the curve, and the public key bytes. If the body is not valid JSON, none of it can be read, so no signature can be checked against it. A body that fails to parse means there is no usable directory, which is why the checker treats it as NOT FOUND rather than assigning a low grade.

In practice a parse failure almost always means the well-known path is returning the wrong thing: an HTML error page, a redirect interstitial, or truncated output.

How to fix it

  1. Fetch the well-known path yourself and confirm the raw body is JSON, not HTML or an error page.
  2. Validate it through any JSON parser. Common breakages are trailing commas, single quotes instead of double quotes, comments, or a byte-order mark or stray text before the opening brace.
  3. Confirm the response is not truncated, for example by a size limit or a proxy that cut it off.

The most common cause is a server returning an HTML error page (a 404 or 500 body) at the directory path while still answering with a 200 status. The fix is to serve the actual key-set JSON at that path. After the fix, the body should parse cleanly and have a top-level object.

References

  • RFC 7517 defines the JSON Web Key Set, which is a JSON document.
  • The web-bot-auth directory draft (draft-meunier-http-message-signatures-directory) requires the directory to be served as that JSON document.
  • How grading works explains why an unparseable body is treated as NOT FOUND.

How the checker scores this

Tier
JWKS directory
Role
Authoritative. Failing this can lower the grade ceiling or change the verdict.
Verdict effect
Failing makes the verdict NOT FOUND.
Point deduction
A failure deducts 25 points; a warning deducts 6.

How grading works