Subject: Assistance Needed with KrakenD JWT Validation (401 Unauthorized Issue)
42 views
Skip to first unread message
Praveen Kumar
Dec 6, 2024, 2:29:29 AM12/6/24
to KrakenD Community
Hi KrakenD Community,
I am facing a persistent 401 Unauthorized error while trying to validate a JWT using KrakenD with Keycloak as the identity provider. Here's a summary of my setup and the issue:
Environment Setup
Keycloak: Running in a Docker container with a configured realm.
KrakenD: Running in a Docker container, version 2.7.2.
Keycloak JWK Endpoint: Successfully reachable and returns the expected JWK response.
Current configurations:
Here is a simplified version of my krakend.json:
{
"version": 3,
"timeout": "3s",
"debug": true,
"endpoints": [
{
"endpoint": "/keycloak-protected",
"method": "GET",
"input_headers": [
"Authorization",
"Content-Type"
],
"extra_config": {
"github.com/devopsfaith/krakend-jose/validator": {
"alg": "RS256",
"jwk-url": " <JWK-ENDPOINT-URL> ",
"disable_jwk_security": true,
"expected-audiences": [
"account"
],
"expected-issuer": <ISSUER>
}
},
"backend": [
{
"host": ["<BACKEND-URL>"],
"url_pattern": "/backend-path/",
"input_headers": ["Authorization", "Content-Type"]
}
]
}
]
}
What I’ve Tried
1). Validated the JWT:
Successfully decoded and validated the JWT against the JWK using external tools.
The kid in the JWT matches the key in the JWK.
2). Checked Logs:
KrakenD debug logs show:
JWTValidator enabled for this endpoint
However, I still get a 401 Unauthorized when calling the endpoint.
3). Debugging with /__debug/:
The /__debug/ endpoint responds with {"message":"pong"}, but it doesn’t provide header-level details.
4). Backend Validation:
Directly tested the backend with the JWT, and it works correctly.
Request for Assistance
Could you help identify why KrakenD is returning a 401 Unauthorized?
Are there any specific configurations or logs I should focus on to resolve this?
Thank you for your guidance!
Best regards,
Praveen kumar
I am facing a persistent 401 Unauthorized error while trying to validate a JWT using KrakenD with Keycloak as the identity provider. Here's a summary of my setup and the issue:
Environment Setup
Keycloak: Running in a Docker container with a configured realm.
KrakenD: Running in a Docker container, version 2.7.2.
Keycloak JWK Endpoint: Successfully reachable and returns the expected JWK response.
Current configurations:
Here is a simplified version of my krakend.json:
{
"version": 3,
"timeout": "3s",
"debug": true,
"endpoints": [
{
"endpoint": "/keycloak-protected",
"method": "GET",
"input_headers": [
"Authorization",
"Content-Type"
],
"extra_config": {
"github.com/devopsfaith/krakend-jose/validator": {
"alg": "RS256",
"jwk-url": " <JWK-ENDPOINT-URL> ",
"disable_jwk_security": true,
"expected-audiences": [
"account"
],
"expected-issuer": <ISSUER>
}
},
"backend": [
{
"host": ["<BACKEND-URL>"],
"url_pattern": "/backend-path/",
"input_headers": ["Authorization", "Content-Type"]
}
]
}
]
}
What I’ve Tried
1). Validated the JWT:
Successfully decoded and validated the JWT against the JWK using external tools.
The kid in the JWT matches the key in the JWK.
2). Checked Logs:
KrakenD debug logs show:
JWTValidator enabled for this endpoint
However, I still get a 401 Unauthorized when calling the endpoint.
3). Debugging with /__debug/:
The /__debug/ endpoint responds with {"message":"pong"}, but it doesn’t provide header-level details.
4). Backend Validation:
Directly tested the backend with the JWT, and it works correctly.
Request for Assistance
Could you help identify why KrakenD is returning a 401 Unauthorized?
Are there any specific configurations or logs I should focus on to resolve this?
Thank you for your guidance!
Best regards,
Praveen kumar
Michel Fortes
Dec 22, 2024, 7:30:49 AM12/22/24
to KrakenD Community, Praveen Kumar
Hello, Praveen.
I'd recommend you to:
- change "github.com/devopsfaith/krakend-jose/validator" namespace to "auth/validator".
I'd recommend you to:
- change "github.com/devopsfaith/krakend-jose/validator" namespace to "auth/validator".
- remove "expected-" from your audiences and issuer config.
- make sure the JWT "aud" and "iss" claims values match your configuration
- make sure the JWT "aud" and "iss" claims values match your configuration
- turn on the "operation_debug" config.
- double check the documentation.
Best!
Reply all
Reply to author
Forward
0 new messages