Hi! Is there any way I can debug a policy while ru...
# help
Hi! Is there any way I can debug a policy while running? The tests that I wrote for it pass but it does not while running live and I can't quite figure out what the difference is between the requests. (moved from community, posted there by mistake)
We usually use the audit logs to help with this; it will output the principal, resource values so you can check what values you're seeing compared to what you expected in your policies.
Thanks! Now I've tried to use a custom config but I get an error regarding the JWT - "failed to find key with ID" but I don't get where it's getting that ID from. Is it generated automatically?
https://docs.cerbos.dev/cerbos/latest/configuration/auxdata.html I'm assuming it's the
(key id) that is in a claim in the JWT. Cerbos needs to use that ID to lookup the key, to check the signing signature
For debugging, you can add
to the request to see details about which policy matched and so on. If you have policy tests, adding
to the test runner will give you a step-by-step evaluation record for the failed policies as well. Finally, you can load the policy into the Cerbos REPL and execute its rules with your inputs to see how they are evaluated. You can find more information about these tools in https://cerbos.dev/blog/how-to-use-cerbos-effectively
You are right, it's the kid claim - I can't realize though why it does not match, since I've set the data to the base64-encoded public key and set pem to true...
Can you post your configuration file here with the sensitive values blanked out?
accessLogsEnabled: true
backend: 'file'
decisionLogsEnabled: true
path: stdout
- id: ${KEY_KID} # kid claim from the JWT
pem: true
httpListenAddr: ":3592"
driver: "disk"
directory: "/config/policies"
watchForChanges: true
logRequestPayloads: true
Ah, the keySet ID in Cerbos config is not your KID. It's just any identifier you'd like to use to identify that particular key set. If you have multiple key sets, we find the correct one to use based on the
value sent in your request (number 16 in https://docs.cerbos.dev/cerbos/latest/api/index.html#check-resources)
If you only have one key set, then you don't need to send
in the request.
At first I had it set to "default" (I'm not sending any keySetId in the request), I've changed it now since I saw the error hoping that it would fi it. Unfortunately, it didn't
What's the full error message?
{"log.level":"error","@timestamp":"2023-05-03T08:59:17.969Z","log.logger":"cerbos.grpc","message":"Failed to extract auxData","grpc.start_time":"2023-05-03T08:59:17Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"CheckResources","peer.address":"","cerbos":{"call_id":"01GZGDCQJ91JC8WBGS52T48GWZ"},"error":"failed to parse JWT: key provider 0 failed: failed to find key with key ID \"a3RRnlKKn1hs9E9b_SzgBmgzS18\" in key set"}
Right, so this error suggests that your JWT is signed with a key that does not exist in the key set you have configured Cerbos with.
I supposed that would be the meaning, the issue is that I'm fairly sure it is the same key so I'm probably not passing it properly to Cerbos. Just to make sure - I need to base64encode the whole body of the PEM-encoded public key (------BEGIN PUBLIC KEY------ etcetc ------END PUBLIC KEY) and set data to this value and pem to true?
Oh, it needs to be a JWK(S). So, essentially a JSON object describing the key. Here's an example: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-set-properties
It looks like you're using FusionAuth. You might be able to get the keyset by accessing
on the server. (I am not a FusionAuth expert, so I could be wrong here.)
Using the jwks endpoint worked! This means that Fusion is not using the key I thought it was...I'll look into that separately. Thanks a lot!