Description
This is perhaps more of a question than an issue with this crate, but forgive me I am not well versed in rust or backend OAuth.
When accessing a protected endpoint, I am getting the error:
Error while decoding JWT token (InvalidSignature)
Steps to reproduce:
Set up keycloak, with a custom realm. In the custom realm, there is an admin user, who has several custom roles associated with it.
In code, follow your example, but get the public key dynamically:
// within fn main():
// Get the
let keycloak_realm = reqwest::get("http://localhost:9220/realms/custom_realm")
.await?
.json::<KeycloakRealm>()
.await;
match keycloak_realm {
Ok(realm) => {
// realm.public_key is `MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1GFEiRT0DRkUmOg/HfjJRpEqgcAI3JY4krdSMF7+I1Qo0mKXBpRow3QkIEKqc4mPX3NEb2xVXVMkmHk+6+ykqg5cqyV4S2w+e9lQy2nQSqklp3u5Jlu7YsiTe26Xxmqn761H4O3VvdnufDt4Nhvl/yqc45EeyIC+WWDaKk68eG+/KqEumme3oAbddFtt9oAIdL2EGJJinO7GcckcVawuG0tN9Di5v6hoV8U0g9Mdjf3ZBXnS6vNG5nCacOTaNCdGHEkV97yzbB60Gh0YAv4cwGCZrMDzCAfMfBA5kWwTaChL5i4hO55YXPG4QveYq55xz2BMhdNUpyws7e0w2m0VCwIDAQAB`
// confirmed this as RSA-OAEP in the keycloak UI
let formatted = format!(
"-----BEGIN RSA PUBLIC KEY-----\n{}\n-----END RSA PUBLIC KEY-----",
&realm.public_key
);
let keycloak_auth = KeycloakAuth::default_with_pk(
DecodingKey::from_rsa_pem(formatted.as_bytes()).unwrap(),
);
HttpServer::new(move || {
let cors = Cors::default();
let mut app = App::new()
.app_data(app_state.clone())
.app_data(reload_handle.clone())
.app_data(websocket_server.clone())
.app_data(tracker.clone())
.wrap(cors)
app = app
.service(
web::scope("/v1/private")
// not sure why I have to clone this, if I don't, I get the error:
// cannot move out of `keycloak_auth`, a captured variable in an `Fn` closure
.wrap(keycloak_auth.clone())
.route(
"",
web::get().to(|| async { HttpResponse::Ok().body("Private") }),
),
)
app
})
.bind((BIND_ADDRESS, BIND_PORT))?
.run()
.await?;
}
Err(error) => {
// Handle error stuff
}
}All of this works, and the server is running. If I call the /private route with no token, I correctly get a 401 no auth error.
When I call the api to get the user, I get the token. Token looks something like:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1QUlqZTNBUzM0d25Bblk4YmVGM1Z0Ulo1TWlJdzQycFB6c1FfV3lEVUNFIn0.eyJleHAiOjE3MDI5MTczNzIsImlhdCI6MTcwMjkxNzA3MiwiYXV0aF90aW1lIjoxNzAyOTE2NTkwLCJqdGkiOiI2MGM1ZGQ5MC03MmVkLTQyNjYtYWRiZi03Yjc5NzFjMjM5NjQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjkyMjAvcmVhbG1zL3N0YXRoZXJvcyIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjBmM2IyMy1hMjBhLTRhNzctYjUxYy1hMGU4YzRjNjcyMTAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJyYXBjb24iLCJzZXNzaW9uX3N0YXRlIjoiZWM3MGY1MGYtNjZhMi00Njk4LTg2Y2YtYmJkMzA1NTAxODlmIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXN0YXRoZXJvcyIsIlJPTEVfUkFQQ09OX0FETUlOIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUiLCJzaWQiOiJlYzcwZjUwZi02NmEyLTQ2OTgtODZjZi1iYmQzMDU1MDE4OWYiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.m0BpSB-ZZtnHP9H07AquMQMDSxKwE5vKCECdcb9FM98sxvSB_XXt59mcYL-gq9OKVYiBFPZrxlUdqssEPS_gNCdbPj-Drd93xLH59i07olz5Sin1p9hyya6JwptdBdL1pRNhGX9atwbyEmxi6W0WNcM2oqsM9mDY5HkGJDec9mF7n22uI2vnlvWY1E845CHVM8TWIeOlsMpKtnoY6qV0hS12alm_X6GKs1Cug1cMRCURQ_LDjKkUVn1HObgHV2vLcDk4PhyiB7nY-JZZJBNwB5Kcp2mXXqxjfADMZ5GekAoqdhMmEcCd8QwbRIfHCLD5g3bYNMOTR4VrFzBZGSpIVg
If you pop that into https://jwt.io/, it shows as signature verified for RS256.
In postman, I make a request to /v1/private with header Authorization: Bearer <token>, I get the error Error while decoding JWT token (InvalidSignature). I took at look at the other issue: #2, but it seems the problem there was already solved. I dug around stack overflow a bit as well for this issue, but since my JWT seems valid, I'm not sure what the issue might be.
This is probably not a bug with this crate? But what am I doing wrong in my setup? Am I passing the public key incorrectly? Am I making some wrong assumptions somewhere here?