JWKS Parse Error

Hello,

I’m trying to upgrade from 1.2.2 to a new version, preferably to 1.3.3. However, when I try to upgrade, I’m seeing an error on the istio proxy sidecar starting properly due to a mysterious JWKS parse error. I’m seeing this error on versions 1.2.7 and 1.3.3:

[2019-10-18 22:15:55.856][33][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:87] gRPC config stream closed: 14, no healthy upstream
[2019-10-18 22:15:55.856][33][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:50] Unable to establish new stream
[2019-10-18 22:15:56.947][33][warning][config] [external/envoy/source/common/config/grpc_mux_subscription_impl.cc:81] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener(s) 10.110.123.108_8443: Issuer 'https://pingfederate.mycorp.io:5555' in jwt_authn config has invalid local jwks: Jwks EC [x] or [y] field is missing or has a parse error., virtualInbound: Issuer 'https://pingfederate.mycorp.io:5555' in jwt_authn config has invalid local jwks: Jwks EC [x] or [y] field is missing or has a parse error.

I checked the JWKS and all keys with kty = “EC” have both an “x” and “y” field set. Beyond this my OIDC provider is PingFederate which I doubt it serving up an invalid JWKS, and this JWKS works on 1.2.2.

Thanks for any help

If anyone could help me out here, I’d appreciate it. Right now I’m unable to upgrade.