i have the following in my cerbos config map this means JWT Cerbos Community #help

Join Slack

i have the following in my cerbos config map. this...

# help

Jesum Yip

01/16/2023, 5:11 AM

i have the following in my cerbos config map. this means JWT verification is disabled.

Jesum Yip

01/16/2023, 5:12 AM

doesn't seem to work because when i call the cerbos api, i get this

{"code":3, "message":"failed to extract auxData"}

Jesum Yip

01/16/2023, 5:12 AM

in the pod's logs i can see:

Jesum Yip

01/16/2023, 5:12 AM

cannot determine keyset to use for validating the JWT

Jesum Yip

01/16/2023, 5:13 AM

i don't need jwt validation because that's already handled by my API gateway

Jesum Yip

01/16/2023, 5:13 AM

btw i'm on cerbos

v0.24

Dennis (Cerbos)

01/16/2023, 5:16 AM

If verification is disabled, the signature isn’t cryptographically verified, but Cerbos always checks if the token is not expired.

Jesum Yip

01/16/2023, 5:17 AM

image.png

Jesum Yip

01/16/2023, 5:17 AM

the token is definitely not expired

Dennis (Cerbos)

01/16/2023, 5:19 AM

Sorry, I missed the error message “cannot determine keyset to use for validating the JWT”

Jesum Yip

01/16/2023, 5:20 AM

i expect cerbos to completely ignore verification, which means the issue of keysets do not even come up.

Jesum Yip

01/16/2023, 5:20 AM

exp

claim validation is fine - i can live with that

Jesum Yip

01/16/2023, 5:22 AM

is my

configMap

wrongly written?

Jesum Yip

01/16/2023, 5:23 AM

like this instead

Dennis (Cerbos)

01/16/2023, 5:24 AM

Looks good to me. Let me think for a minute.

Jesum Yip

01/16/2023, 5:25 AM

also, changing configmap doesn't cause cerbos deployment to restart. i have to restart it manually.

Jesum Yip

01/16/2023, 5:26 AM

yes that did the trick @Dennis (Cerbos). my

configMap

was wrongly written

Jesum Yip

01/16/2023, 5:28 AM

one last thing

Jesum Yip

01/16/2023, 5:28 AM

how do i disable the generation of this?

Dennis (Cerbos)

01/16/2023, 5:32 AM

Do you mean the schema? I think it is embedded in the Cerbos binary.

Jesum Yip

01/16/2023, 5:32 AM

yes the schema web page

Jesum Yip

01/16/2023, 5:33 AM

does it redirect to some url path ? i have istio in place and i can block that

Dennis (Cerbos)

01/16/2023, 5:36 AM

I don’t think we have a setting to turn this off. Let me look for a way to work around this. May I ask why do you want to disable this page?

Jesum Yip

01/16/2023, 5:36 AM

for security purposes

Jesum Yip

01/16/2023, 5:36 AM

cerbos is exposed on the internet

Jesum Yip

01/16/2023, 5:36 AM

i do not want people guessing and knowing that it's cerbos running behind that IP address

Jesum Yip

01/16/2023, 5:37 AM

it's a minor issue, really, but would be nice if i could disable it.

Jesum Yip

01/16/2023, 5:37 AM

not a very high priority ask.

Dennis (Cerbos)

01/16/2023, 5:39 AM

I see. Thanks for taking the time to explain it.

Jesum Yip

01/16/2023, 5:42 AM

i know how to block it with istio.

Jesum Yip

01/16/2023, 5:42 AM

that schema page is generated when you visit cerbos at the

folder. i wrote an istio rule to block access to it and it works

8 Views

Open in Slack

Previous Next