Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Krakend suddenly returns 401: “[JWTValidator] Unable to validate the token: no Keys have been found” with Keycloak #984

Open
MohammedBajuaifer opened this issue Mar 19, 2025 · 3 comments
Open

Krakend suddenly returns 401: “[JWTValidator] Unable to validate the token: no Keys have been found” with Keycloak #984

MohammedBajuaifer opened this issue Mar 19, 2025 · 3 comments

Comments

@MohammedBajuaifer
Copy link

I'm experiencing an issue with Krakend and Keycloak where JWT validation suddenly fails, and I start receiving 401 responses. The error in the logs is:

[JWTValidator] Unable to validate the token: no Keys have been found Setup Details:

Environment: Both Keycloak and Krakend are running in Docker containers.

JWT Token: The token I'm using is (for reference)

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOUnpvNFl3dHN4WU0xd05MbjNhXzdrYl9iN0djRVU0VUxaZlJjQWxnR3NrIn0.eyJleHAiOjE3NDI0MTUyODEsImlhdCI6MTc0MjQwODA4MSwianRpIjoiMDE2NTQzMDYtYzVkNS00ZjYwLWFlMTAtODgyNzg1MjJjZjcwIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrOjgwODEvcmVhbG1zL2tyYWtlbmQiLCJzdWIiOiI1YmZhMDBiOC0yMjBiLTQxMGMtYTM5Ni0zYTNlODFiMTg0ODciLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiI0YTJmMjU1Yi0xNTI2LTQ3NWMtYjkwMS1mOTI2YmU5ZTIyYmEiLCJzY29wZSI6IiIsImNsaWVudEFkZHJlc3MiOiIxOTIuMTY4LjE0OC44IiwiY2xpZW50X2lkIjoiNGEyZjI1NWItMTUyNi00NzVjLWI5MDEtZjkyNmJlOWUyMmJhIn0.BoCtvGwePU45c_TElzVdxKnjW1HvYRKpj0D8Mhaxm4rSbX3ODstEmmbKoMhym5TMUyoTWm4RRLeVvokROWXnmp5_IxertsudbnDCoOQHOcdtiAxg5Opa2hoS6sVvDk6zPZK4S-kvavoVMAFgw0uPicC6YD5cpUP8oyN0FZdvotvLbnyzzwLPGUDJ9jj84tk-gtAl48Z5KIxJhlXEd5Yd4s3usXKgzJgDWrvGPPu_t1VVbM85A7ft9TMqcbj88yzzrruuSRbf5TOYeMz5ccae2Ev0uh2MT9NgWBlcObINSRGXC1iBb3Jf6fhS998TujkXfOA_pGqLjFIJGTv-Sw4yWA

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "NRzo4YwtsxYM1wNLn3a_7kb_b7GcEU4ULZfRcAlgGsk"
}

When I curl the JWKS endpoint from within the Krakend container:

curl http://keycloak:8081/realms/krakend/protocol/openid-connect/certs

i receive this response

{
  "keys": [
    {
      "kid": "NRzo4YwtsxYM1wNLn3a_7kb_b7GcEU4ULZfRcAlgGsk",
      "kty": "RSA",
      "alg": "RS256",
      "use": "sig",
      "n": "2ht0gl9-_UKvRBhcxUcSgCI5njQP201VKyBqBtzqvqDClYZ6hkuOPVuDKlz4ls2JoKcPMaXLPyR-f8T-JggXL19ZDAyucv1HwXHQYLy5LSWJj0gDUNFG1ExjUkEBhryuJ47sZ6t_t3FvFpTX0CTMX0BFj8Xmj-oAm7mh6laWCiT3zJ-29p9CajLXr1cVvkiIuWzrB84UnLS4dCoSiw5k_C8kuh57fE03r8ErhxuYfzI_VvtzE-ED0QODKb4BXgXA7EBopK7uzc6DtPcXtCrUW-LR6NXpX0LGBZ-94EWfa21Wk_SV27-RG0w8h8RiZyAZqrWsNKEjHnW9hs-eW-pG0Q",
      "e": "AQAB",
      "x5c": [
        "MIICnTCCAYUCBgGUaQfa/TANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdrcmFrZW5kMB4XDTI1MDExNTA4MTMzMFoXDTM1MDExNTA4MTUxMFowEjEQMA4GA1UEAwwHa3Jha2VuZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANobdIJffv1Cr0QYXMVHEoAiOZ40D9tNVSsgagbc6r6gwpWGeoZLjj1bgypc+JbNiaCnDzGlyz8kfn/E/iYIFy9fWQwMrnL9R8Fx0GC8uS0liY9IA1DRRtRMY1JBAYa8rieO7Gerf7dxbxaU19AkzF9ARY/F5o/qAJu5oepWlgok98yftvafQmoy169XFb5IiLls6wfOFJy0uHQqEosOZPwvJLoee3xNN6/BK4cbmH8yP1b7cxPhA9EDgym+AV4FwOxAaKSu7s3Og7T3F7Qq1Fvi0ejV6V9CxgWfveBFn2ttVpP0ldu/kRtMPIfEYmcgGaq1rDShIx51vYbPnlvqRtECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEASS/DoyVc4zz9e4FM85MzZ2yGNWRv54ZRZ2qtJd9hwo/YtyKHcwyRh9hgRz0iSnKr4zfZljHJ3Rltr6x/YzHb9T7TERK1TpZtUzLkhBH3FLmGRLous0aF2hExYnW/8oM8y5bMClHvGiaWzxRoGLt0kQK5wc6r1d0ep2tnYBR86vuEkWJ/Df04hbHRE/k/fQjFeCO40KsN0oPz9fHkKrRn2Tw/5o5DVSAT17uXhqkzUkspVQbeJspucygmSqM9nA1Lhouhosjk5zuTibDbWF6oUs/r+boKs2ZStoUJFRXDCKJEtvyRLktCIaAmOrVUF8Jt1Ytf+LW7I80taRKc8wJvtQ=="
      ],
      "x5t": "_X7vlc52hYkF3j2bTwQKMBFp9-M",
      "x5t#S256": "S7fU1LyUOnsW8ImWRhoE0Z4JXLwz6PWHFPA9HbAqlWA"
    },
    {
      "kid": "dxQ-X_6x2mEOfrfmAQj5IEY2gN_1o_NYjJm56YvdQCA",
      "kty": "RSA",
      "alg": "RSA-OAEP",
      "use": "enc",
      "n": "r053slzVi3499OXCDCHuNaQGyO0TwOZsFULL-FqWMdtRXuXCinR8fyIprawa8ymMbop-pEnsJkKi8fMDYhHQ278uDwpLQSKFA3YgGJAlvgve09i_GfS_56kbtgWH6jj-jt76mPxZazxzCP9MuuL0PRWZohfuQiU-VwBqNwtE7YJoXIAEQrnkf6BAaeV_iNvknjlHTL4EHDyQOe9Kw8UUsybj5J-UF2yUwliBfGgY_EfgfMiwmo9Pkxe2pppfqZdDw_NXUnVOQ0R_5Dp0BecZN_OjmJBtGR_UnnGCCwho0qxoiRjRrzxkfMEQtSO5-eIRddcRXpelTKZST0xggCShLw",
      "e": "AQAB",
      "x5c": [
        "MIICnTCCAYUCBgGUaQfbZDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdrcmFrZW5kMB4XDTI1MDExNTA4MTMzMFoXDTM1MDExNTA4MTUxMFowEjEQMA4GA1UEAwwHa3Jha2VuZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9Od7Jc1Yt+PfTlwgwh7jWkBsjtE8DmbBVCy/haljHbUV7lwop0fH8iKa2sGvMpjG6KfqRJ7CZCovHzA2IR0Nu/Lg8KS0EihQN2IBiQJb4L3tPYvxn0v+epG7YFh+o4/o7e+pj8WWs8cwj/TLri9D0VmaIX7kIlPlcAajcLRO2CaFyABEK55H+gQGnlf4jb5J45R0y+BBw8kDnvSsPFFLMm4+SflBdslMJYgXxoGPxH4HzIsJqPT5MXtqaaX6mXQ8PzV1J1TkNEf+Q6dAXnGTfzo5iQbRkf1J5xggsIaNKsaIkY0a88ZHzBELUjufniEXXXEV6XpUymUk9MYIAkoS8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAZiZ8ZAfeN+F5Htji5O+DO8EiI1+lizEVc2HgOmANWtangr4ww+k91JZ+6VDLxtT8q9NvoynQ1ba5ztbsYjOd/E3lES3GHQbKYTM0MPeyheGs7fX7LaDVIa0xusnHANwPjdNjEi/kCwANrXMVyGKw5PJgSAXamowa7vm5zVvyeYX/IWv/aCuh5b3VbtOsV0aaCtZLHAzrqbWMWUP/HbyKyCt4U/bu1coOmMpP7dqwVi87EkP6ZguWDDbFexEKhXFRpQ9xYrmAvGj9xBcOlOSOjQP1UHOm30MLlik4+EMotwnH+wKNJ7O9/FZGYAjeX6eYafLoMd6rkqztDYz2FezuTw=="
      ],
      "x5t": "a1HSuOboivROdg408K1Hfq5zg1c",
      "x5t#S256": "Z7rdzpbx7rIb7zmSS71o1RlFpTgEySGvbzxoM-8-B5o"
    }
  ]
}

The token’s header kid matches the corresponding key in the JWKS response, so on the surface the configuration appears correct.

What I’ve Tried:

Verified that the JWKS endpoint is reachable from the Krakend container. Confirmed that the JWT’s header and payload (e.g., issuer) match the expected values. Enabled detailed logging via "operation_debug": true in Krakend. No recent changes have been made to the Keycloak or Krakend configurations.

Question: What could be causing Krakend to fail token validation with the error [JWTValidator] Unable to validate the token: no Keys have been found? What additional debugging steps or configuration checks can I perform to resolve this issue?

Any insights or suggestions are appreciated!
@thedae
Copy link
Member

thedae commented Mar 20, 2025
edited
Loading

Hi @MohammedBajuaifer

Thanks for reaching out, can you provide the "auth/validator" config you're using? Also, you mention that the validation "suddenly fails", meaning that at some point it worked properly, is that correct?

@MohammedBajuaifer
Copy link
Author

MohammedBajuaifer commented Mar 23, 2025
edited
Loading

Hi @thedae, yes it was working but suddenly its failing.

This is my "auth/validator' config:

{
    "auth/validator": {
        "alg": "RS256",
        "jwk_url": "http://keycloak:8081/realms/krakend/protocol/openid-connect/certs",
        "disable_jwk_security": true,
        "cache": true,
        "issuer": "http://keycloak:8081/realms/krakend",
        "operation_debug": true
    }
}

@thedae
Copy link
Member

thedae commented Mar 24, 2025

Can you try to replicate without cache? If the problem is gone without cache, we can narrow down the issue to a couple scenarios

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thedae @MohammedBajuaifer