krakend-ce
krakend-ce copied to clipboard
krakend
Debug 401 Error
Hi all,
I have implemented KrakenD and have run into an issue: When I call a protected API I am getting a 401 error, although my settings appear to be correct. Is there a way to debug it, to see what exactly is causing that error?
- I set up a protected endpoint in the config, with a specific accepted role and audience.
- I generate a valid JWT (tested with https://jwt.io/) using the same role, audience, future expiry date and valid JWK
Thanks
here you have the 3 checks that return a 401 when fail: https://github.com/devopsfaith/krakend-jose/blob/master/gin/jose.go#L129-L154 as you can see, the 401 is returned when the signature is incorrect (or it can't be validated), when the required claims are not present or when some claim is rejected (by the bloomfilter or the CEL executor). and, at v2, all are logged if you share the endpoint configuration and a sample token maybe we could give your more details
Hi there,
Thanks for the quick response. Is there a way I can get detailed logs around what exactly failed during the auth process?
Krakend Endpoint Configuration (v3, running Krakend 2.0.1) : "endpoint": "/root", "method": "GET", "output_encoding": "json", "extra_config": { "auth/validator": { "alg": "HS256", "jwk_local_path": "/etc/krakend/jwk/jwk.json", "roles_key": "roles", "audience": [ "weatherforecast" ], "roles": [ "user" ], "disable_jwk_security": true, "issuer": "krakend", "jwk_fingerprints": [] } }, "backend": [ { "url_pattern": "/api/v1/weatherforecast", "encoding": "string", "method": "GET", "extra_config": { "backend/http": { "return_error_details": "backend_alias" } }, "host": [ "http://{api server}:5080" ], "disable_host_sanitize": false } ], "input_headers": [ "Authorization" ]
JWT Sample eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoidXNlciIsIm5iZiI6MTY0OTIwMTY4MSwiZXhwIjoxNjQ5MjA1MjgxLCJpYXQiOjE2NDkyMDE2ODEsImlzcyI6ImtyYWtlbmQiLCJhdWQiOiJ3ZWF0aGVyZm9yZWNhc3QifQ.YqesY_o667VzTxxmVRT1DjJxUAOvYr18fB-A7E1WXp8
The signature is validated in jwt.io when I enter the secret key.
Many thanks
Hi all,
Just wanted to provide a quick update on this. I replaced the signer and validator paths to the below using the local jwk path option. By doing some I am now getting a 200 code, BUT even when the jwt expires or the roles don't match!
Signer: github.com/devopsfaith/krakend-jose/v2/signer Validator: github.com/devopsfaith/krakend-jose/v2/validator
In addition, when I check the config, I am getting the below error:
ERROR linting the configuration file: jsonschema: '/endpoints/1/extra_config' does not validate with https://www.krakend.io/schema/v3.json#/properties/endpoints/items/$ref/properties/extra_config/$ref/additionalProperties: additionalProperties 'github.com/devopsfaith/krakend-jose/v2/signer' not allowed
Not sure how I need to set up the signer and the validator exactly or what I am doing wrong...
Thanks
I replaced the signer and validator paths to the below using the local jwk path option. By doing some I am now getting a 200 code, BUT even when the jwt expires or the roles don't match!
that's because there was some error loading the validator middleware. check your logs.
also, your gateway should be logging the reason behind a 401. again, check your logs
Thanks for that. So that brings me to my original question as to how I can debug this. Where are the logs located?
by default, if you are not using any log exporter, logs are dumped to the standard output
@Chr1sK You have to enable operation_debug setting to see what caused 401 error:
[ENDPOINT: /v1/endpoint][JWTValidator] Unable to validate the token: square/go-jose: compact JWS format must have three parts
[GIN] 2022/05/20 - 15:05:54 | 401 | 175.519µs | 127.0.0.1 | POST "/v1/endpoint"
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 15 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was closed because it has been marked as stalled for 15 days with no activity.
This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.