Title
a
Alex Tuca
05/03/2023, 7:04 AMHi! Is there any way I can debug a policy while running? The tests that I wrote for it pass but it does not while running live and I can't quite figure out what the difference is between the requests. (moved from community, posted there by mistake)
r
Rob Crowe
05/03/2023, 7:21 AMWe usually use the audit logs to help with this; it will output the principal, resource values so you can check what values you're seeing compared to what you expected in your policies.
a
Alex Tuca
05/03/2023, 8:12 AMThanks! Now I've tried to use a custom config but I get an error regarding the JWT - "failed to find key with ID" but I don't get where it's getting that ID from. Is it generated automatically?
r
Rob Crowe
05/03/2023, 8:17 AMhttps://docs.cerbos.dev/cerbos/latest/configuration/auxdata.html
I'm assuming it's the
kidc
Charith (Cerbos)
05/03/2023, 8:22 AMFor debugging, you can add
includeMeta--verbosea
Alex Tuca
05/03/2023, 8:29 AMYou are right, it's the kid claim - I can't realize though why it does not match, since I've set the data to the base64-encoded public key and set pem to true...
c
Charith (Cerbos)
05/03/2023, 8:40 AMCan you post your configuration file here with the sensitive values blanked out?
a
Alex Tuca
05/03/2023, 8:42 AMaudit:accessLogsEnabled: truebackend: 'file'decisionLogsEnabled: truefile:path: stdoutauxData:jwt:keySets:- id: ${KEY_KID} # kid claim from the JWTlocal:data: ${FUSION_SIGN_KEY}pem: trueserver:httpListenAddr: ":3592"storage:driver: "disk"disk:directory: "/config/policies"watchForChanges: truelogRequestPayloads: truec
Charith (Cerbos)
05/03/2023, 8:46 AMAh, the keySet ID in Cerbos config is not your KID. It's just any identifier you'd like to use to identify that particular key set. If you have multiple key sets, we find the correct one to use based on the
auxData.keySetIdIf you only have one key set, then you don't need to send
keySetIda
Alex Tuca
05/03/2023, 8:57 AMAt first I had it set to "default" (I'm not sending any keySetId in the request), I've changed it now since I saw the error hoping that it would fi it. Unfortunately, it didn't
c
Charith (Cerbos)
05/03/2023, 8:58 AMWhat's the full error message?
a
Alex Tuca
05/03/2023, 8:59 AM{"log.level":"error","@timestamp":"2023-05-03T08:59:17.969Z","log.logger":"cerbos.grpc","message":"Failed to extract auxData","grpc.start_time":"2023-05-03T08:59:17Z","system":"grpc","span.kind":"server","grpc.service":"cerbos.svc.v1.CerbosService","grpc.method":"CheckResources","peer.address":"192.168.112.1:58118","cerbos":{"call_id":"01GZGDCQJ91JC8WBGS52T48GWZ"},"error":"failed to parse JWT: key provider 0 failed: failed to find key with key ID \"a3RRnlKKn1hs9E9b_SzgBmgzS18\" in key set"}c
Charith (Cerbos)
05/03/2023, 9:03 AMRight, so this error suggests that your JWT is signed with a key that does not exist in the key set you have configured Cerbos with.
a
Alex Tuca
05/03/2023, 9:15 AMI supposed that would be the meaning, the issue is that I'm fairly sure it is the same key so I'm probably not passing it properly to Cerbos. Just to make sure - I need to base64encode the whole body of the PEM-encoded public key (------BEGIN PUBLIC KEY------ etcetc ------END PUBLIC KEY) and set data to this value and pem to true?
c
Charith (Cerbos)
05/03/2023, 9:21 AMOh, it needs to be a JWK(S). So, essentially a JSON object describing the key. Here's an example: https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-set-properties
It looks like you're using FusionAuth. You might be able to get the keyset by accessing
/.well-known/jwks.jsona
Alex Tuca
05/03/2023, 9:35 AMUsing the jwks endpoint worked! This means that Fusion is not using the key I thought it was...I'll look into that separately. Thanks a lot!