i have the following in my cerbos config map this means JWT

Question

i have the following in my cerbos config map this means JWT verification is disabled

Jesum Yip · Answer

doesn t seem to work because when i call the cerbos api i get this ` code 3 message failed to extract auxData `

Jesum Yip · Answer

in the pod s logs i can see

Jesum Yip · Answer

`cannot determine keyset to use for validating the JWT`

Jesum Yip · Answer

i don t need jwt validation because that s already handled by my API gateway

Jesum Yip · Answer

btw i m on cerbos `v0 24`

Dennis (Cerbos) · Answer

If verification is disabled the signature isn t cryptographically verified but Cerbos always checks if the token is not expired

Jesum Yip · Answer

image png

Jesum Yip · Answer

the token is definitely not expired

Dennis (Cerbos) · Answer

Sorry I missed the error message cannot determine keyset to use for validating the JWT

Jesum Yip · Answer

i expect cerbos to completely ignore verification which means the issue of keysets do not even come up

Jesum Yip · Answer

`exp` claim validation is fine i can live with that

Jesum Yip · Answer

is my `configMap` wrongly written

Jesum Yip · Answer

like this instead

Dennis (Cerbos) · Answer

Looks good to me Let me think for a minute

Jesum Yip · Answer

also changing configmap doesn t cause cerbos deployment to restart i have to restart it manually

Jesum Yip · Answer

yes that did the trick < Dennis Cerbos > my `configMap` was wrongly written

Jesum Yip · Answer

one last thing

Jesum Yip · Answer

how do i disable the generation of this

Dennis (Cerbos) · Answer

Do you mean the schema I think it is embedded in the Cerbos binary

Jesum Yip · Answer

yes the schema web page

Jesum Yip · Answer

does it redirect to some url path i have istio in place and i can block that

Dennis (Cerbos) · Answer

I don t think we have a setting to turn this off Let me look for a way to work around this May I ask why do you want to disable this page

Jesum Yip · Answer

for security purposes

Jesum Yip · Answer

cerbos is exposed on the internet

Jesum Yip · Answer

i do not want people guessing and knowing that it s cerbos running behind that IP address

Jesum Yip · Answer

it s a minor issue really but would be nice if i could disable it

Jesum Yip · Answer

not a very high priority ask

Dennis (Cerbos) · Answer

I see Thanks for taking the time to explain it

Jesum Yip · Answer

i know how to block it with istio

Jesum Yip · Answer

that schema page is generated when you visit cerbos at the ` ` folder i wrote an istio rule to block access to it and it works