actix-web-middleware-keycloak-auth

actix-web-middleware-keycloak-auth copied to clipboard

This is perhaps more of a question than an issue with this crate, but forgive me I am not well versed in rust or backend OAuth.

When accessing a protected endpoint, I am getting the error:

Error while decoding JWT token (InvalidSignature)

Steps to reproduce:

Set up keycloak, with a custom realm. In the custom realm, there is an admin user, who has several custom roles associated with it.

In code, follow your example, but get the public key dynamically:

  // within fn main():

  // Get the 
   let keycloak_realm = reqwest::get("http://localhost:9220/realms/custom_realm")
        .await?
        .json::<KeycloakRealm>()
        .await;

    match keycloak_realm {
        Ok(realm) => {

            // realm.public_key is `MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1GFEiRT0DRkUmOg/HfjJRpEqgcAI3JY4krdSMF7+I1Qo0mKXBpRow3QkIEKqc4mPX3NEb2xVXVMkmHk+6+ykqg5cqyV4S2w+e9lQy2nQSqklp3u5Jlu7YsiTe26Xxmqn761H4O3VvdnufDt4Nhvl/yqc45EeyIC+WWDaKk68eG+/KqEumme3oAbddFtt9oAIdL2EGJJinO7GcckcVawuG0tN9Di5v6hoV8U0g9Mdjf3ZBXnS6vNG5nCacOTaNCdGHEkV97yzbB60Gh0YAv4cwGCZrMDzCAfMfBA5kWwTaChL5i4hO55YXPG4QveYq55xz2BMhdNUpyws7e0w2m0VCwIDAQAB`
           // confirmed this as RSA-OAEP in the keycloak UI
            
            let formatted = format!(
                "-----BEGIN RSA PUBLIC KEY-----\n{}\n-----END RSA PUBLIC KEY-----",
                &realm.public_key
            );

            let keycloak_auth = KeycloakAuth::default_with_pk(
                DecodingKey::from_rsa_pem(formatted.as_bytes()).unwrap(),
            );

            HttpServer::new(move || {
                let cors = Cors::default();

                let mut app = App::new()
                    .app_data(app_state.clone())
                    .app_data(reload_handle.clone())
                    .app_data(websocket_server.clone())
                    .app_data(tracker.clone())
                    .wrap(cors)

                app = app
                    .service(
                        web::scope("/v1/private")
                            // not sure why I have to clone this, if I don't, I get the error:
                            // cannot move out of `keycloak_auth`, a captured variable in an `Fn` closure
                            .wrap(keycloak_auth.clone())
                            .route(
                                "",
                                web::get().to(|| async { HttpResponse::Ok().body("Private") }),
                            ),
                    )

                app
            })
            .bind((BIND_ADDRESS, BIND_PORT))?
            .run()
            .await?;
        }
        Err(error) => {
            // Handle error stuff
        }
    }

All of this works, and the server is running. If I call the /private route with no token, I correctly get a 401 no auth error.

When I call the api to get the user, I get the token. Token looks something like:

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1QUlqZTNBUzM0d25Bblk4YmVGM1Z0Ulo1TWlJdzQycFB6c1FfV3lEVUNFIn0.eyJleHAiOjE3MDI5MTczNzIsImlhdCI6MTcwMjkxNzA3MiwiYXV0aF90aW1lIjoxNzAyOTE2NTkwLCJqdGkiOiI2MGM1ZGQ5MC03MmVkLTQyNjYtYWRiZi03Yjc5NzFjMjM5NjQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjkyMjAvcmVhbG1zL3N0YXRoZXJvcyIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjBmM2IyMy1hMjBhLTRhNzctYjUxYy1hMGU4YzRjNjcyMTAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJyYXBjb24iLCJzZXNzaW9uX3N0YXRlIjoiZWM3MGY1MGYtNjZhMi00Njk4LTg2Y2YtYmJkMzA1NTAxODlmIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXN0YXRoZXJvcyIsIlJPTEVfUkFQQ09OX0FETUlOIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUiLCJzaWQiOiJlYzcwZjUwZi02NmEyLTQ2OTgtODZjZi1iYmQzMDU1MDE4OWYiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.m0BpSB-ZZtnHP9H07AquMQMDSxKwE5vKCECdcb9FM98sxvSB_XXt59mcYL-gq9OKVYiBFPZrxlUdqssEPS_gNCdbPj-Drd93xLH59i07olz5Sin1p9hyya6JwptdBdL1pRNhGX9atwbyEmxi6W0WNcM2oqsM9mDY5HkGJDec9mF7n22uI2vnlvWY1E845CHVM8TWIeOlsMpKtnoY6qV0hS12alm_X6GKs1Cug1cMRCURQ_LDjKkUVn1HObgHV2vLcDk4PhyiB7nY-JZZJBNwB5Kcp2mXXqxjfADMZ5GekAoqdhMmEcCd8QwbRIfHCLD5g3bYNMOTR4VrFzBZGSpIVg

If you pop that into https://jwt.io/, it shows as signature verified for RS256.

In postman, I make a request to /v1/private with header Authorization: Bearer <token>, I get the error Error while decoding JWT token (InvalidSignature). I took at look at the other issue: https://github.com/dsferruzza/actix-web-middleware-keycloak-auth/issues/2, but it seems the problem there was already solved. I dug around stack overflow a bit as well for this issue, but since my JWT seems valid, I'm not sure what the issue might be.

This is probably not a bug with this crate? But what am I doing wrong in my setup? Am I passing the public key incorrectly? Am I making some wrong assumptions somewhere here?

Hi!

Your approach seems fine 🤔 Just in case, could you try with this?

let formatted = format!(
    "-----BEGIN PUBLIC KEY-----{}-----END PUBLIC KEY-----",
    &realm.public_key
);

@dsferruzza So I tried that, and various variations of formatting the key, unfortunately no change.

Any other brainstorming idea on how to debug my setup? Thank you so much!

Could you try to get more info/context by:

1. Adding env_logger to your project
2. Calling its init function at the beginning of main
3. Running you app with the RUST_LOG="trace" environment variable
4. Sending the request that fails to your app
5. Putting the logs here

?