krakend-ce
krakend-ce copied to clipboard
krakend
Unable to validate the token: should have a JSON content type for JWKS endpoint
[KRAKEND] 2022/09/22 - 18:29:31.731 ▶ ERROR [ENDPOINT: /geo/v1/countries][JWTValidator] Unable to validate the token: should have a JSON content type for JWKS endpoint
Attached below is my config file.....
"extra_config": {
"auth/validator": {
"alg": "RS256",
"cache": true,
"issuer": "https://auth.sophware.com/realms/sophware",
"jwk_url": "https://auth.sophware.com/realms/sophware/protocol/openid-connect/certs",
"operation_debug": true,
"scopes": [
"sophware_geo_api"
]
},
"qos/ratelimit/router": {
"client_max_rate": 10,
"key": "Authorization",
"strategy": "header"
}
}
If I replace the jwk_url with local file with the contents returned by the URL it works just fine.....
Can someone help me figure out what is wrong?
Thanks!
I am using the latest KrakenD with keycloak19 behind an AWS Load Balancer.... Content-Type appears to be set properly to me....(assuming that is what it is complaining about.
@rjsoph you're right, that error is telling you that the response your KrakenD instance is getting is not a JSON. It does not check the status code, so it could be getting a non 200 response or it could be that the cert from the ELB/ALB is not recognized by the system CA... Can you consume the JWK url from the same machine/container running KrakenD?
The URL is public (try it if you like) I see nothing wrong with it....
https://auth.sophware.com/realms/sophware/protocol/openid-connect/certs
I do have a work around that bypasses the load balancer but I would like to use the load balancer if possible..... I am sure others are running keycloak behind a load balancer so that doesn't sound like a legit excuse....
The only difference I see is when going through the load balancer the header is
content-type: application/json
and when going directly to keycloak
Content-Type: application/json
I don't know why the case is being changed but I also do not understand why this would pose a problem for Krakend?
UPDATE: AWS load balancers transform headers to lower case by default. This is a krakend/jose bug IMO.
Hi @rjsoph,
Even that your load balancer is public and accessible from the internet, it doesn't mean that your KrakenD instance within AWS has access to it. The headers transform is not a problem.
I have tested the configuration, and it works just fine (because my krakend can reach your balancer). Obviously I don't have a token signed, but the error is not what you have.
Spend some time checking the connectivity between KrakenD and the balancer. For instance you could try the following in the KrakenD machine:
$ docker run --rm -it -w /tmp --entrypoint=/bin/sh devopsfaith/krakend
/tmp $ wget https://auth.sophware.com/realms/sophware/protocol/openid-connect/certs
Connecting to auth.sophware.com (34.234.182.243:443)
saving to 'certs'
certs 100% |****************************************************************************************************************************************| 2925 0:00:00 ETA
'certs' saved
And confirm you can do it within the machine.
Thank you for checking.... yes I suspect you are correct. Fortunately/Unfortunately the problem has now resolved itself so I can confirm it is working. We did have some connectivity problems and that is probably what led me astray....
This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}