i have the following in my cerbos config map. this...
# help
i have the following in my cerbos config map. this means JWT verification is disabled.
doesn't seem to work because when i call the cerbos api, i get this
{"code":3, "message":"failed to extract auxData"}
in the pod's logs i can see:
cannot determine keyset to use for validating the JWT
i don't need jwt validation because that's already handled by my API gateway
btw i'm on cerbos
If verification is disabled, the signature isn’t cryptographically verified, but Cerbos always checks if the token is not expired.
the token is definitely not expired
Sorry, I missed the error message “cannot determine keyset to use for validating the JWT”
i expect cerbos to completely ignore verification, which means the issue of keysets do not even come up.
claim validation is fine - i can live with that
is my
wrongly written?
like this instead
Looks good to me. Let me think for a minute.
also, changing configmap doesn't cause cerbos deployment to restart. i have to restart it manually.
yes that did the trick @Dennis (Cerbos). my
was wrongly written
one last thing
how do i disable the generation of this?
Do you mean the schema? I think it is embedded in the Cerbos binary.
yes the schema web page
does it redirect to some url path ? i have istio in place and i can block that
I don’t think we have a setting to turn this off. Let me look for a way to work around this. May I ask why do you want to disable this page?
for security purposes
cerbos is exposed on the internet
i do not want people guessing and knowing that it's cerbos running behind that IP address
it's a minor issue, really, but would be nice if i could disable it.
not a very high priority ask.
I see. Thanks for taking the time to explain it.
i know how to block it with istio.
that schema page is generated when you visit cerbos at the
folder. i wrote an istio rule to block access to it and it works