Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

When unable to get JWKS, JWTAuth swallows the underlying exception and only logs the last message

See original GitHub issue

https://github.com/ktorio/ktor/blob/2406dc5b5970205593efa51867c0e5a05f149210/ktor-features/ktor-auth-jwt/jvm/src/io/ktor/auth/jwt/JWTAuth.kt#L164

When unable to retrieve the JWKS, JWTAuth swallows the underlying exception and only logs the message.

This means we only get to see: TRACE io.ktor.auth.jwt - Failed to get JWK: Failed to get key with kid 1

When stack trace is:

com.auth0.jwk.SigningKeyNotFoundException: Failed to get key with kid 1
Caused by: com.auth0.jwk.SigningKeyNotFoundException: Cannot obtain jwks from url https://localhost:2222/jwks
Caused by: java.net.ConnectException: Connection refused (Connection refused)

Simple example to reproduce:

val TestJWT = "eyJraWQiOiIxIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwNjAvaXNzby9vYXV0aDIiLCJleHAiOjE3MTE4NzQ3MDAsImp0aSI6IjZvWkZWa3lGX2RSd1dpcXNhQkJkWkEiLCJpYXQiOjE1NTQxOTQ3MDAsInN1YiI6Im15dXNlciIsImF1ZCI6Ik9JREMiLCJhY3IiOiJMZXZlbDQiLCJhenAiOiJPSURDIn0.NuWfe1BZK3i-VVC1l7EIvJydd9m3Pcr2_0AanhbS3YEXSq_NWKhqtFd4qM_KUhLURTTwhNhAb43Zr2HzxGFUhnYnU4uCi95fLcw3Cq8mTM3o4I0r-pgpPTkfiheUUtOA4d43cwWpyEaBdypwO_F-VLA4zBw1oTRE_M0_G-16Q6yezpjTVBvOI7nsEWLHUZ-i10hE3V53cx2-Qm5OUOtEFF-UqqFhgBU6VSRYS5J3puWQFGlLr5hGSAW3Nll1DkJbiNaHB4y7EPnSlCPcNdZ98PXckylsiJ6nhRJXg4mke-C2WWckJ5H4dgsjeoUmXDuLekO1IrvwT1JLGJYiPwlQJw"

fun main(args: Array<String>): Unit {
    Thread {
        io.ktor.server.netty.EngineMain.main(args)
    }.run()

    Thread {
        println("Testing in 3 secs...")
        Thread.sleep(3000);
        println("Testing...")
        GlobalScope.launch {
            val resp = HttpClient(Apache).use { client ->
                client.get<String>(URL("http://localhost:8080/")) {
                    this.header("Authorization", "Bearer " + TestJWT);
                }
            }
            println("RESP: ${resp}")
        }
    }.run()
}

@Suppress("unused") // Referenced in application.conf
@kotlin.jvm.JvmOverloads
fun Application.module(testing: Boolean = false) {
    install(Authentication) {
        jwt {
            verifier(JwkProviderBuilder(URL("https://localhost:2222/jwks")).build(), "http://localhost:8060/isso/oauth2");
            validate { credentials ->
                if (credentials.payload.subject == "myuser") {
                    JWTPrincipal(credentials.payload)
                } else {
                    log.info("${credentials.payload.subject} is not authorized to use this app, denying access")
                    null
                }
            }
        }
    }
    routing {
        authenticate {
            get("/") {
                call.respondText("HELLO WORLD!", contentType = ContentType.Text.Plain)
            }
        }
    }
}

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:8 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
yukukotanicommented, Dec 16, 2019

It might be nice if we can handle those errors via challenge.

0reactions
oleg-larshincommented, Aug 10, 2020

Please check the following ticket on YouTrack for follow-ups to this issue. GitHub issues will be closed in the coming weeks.

Read more comments on GitHub >

github_iconTop Results From Across the Web

When unable to get JWKS, JWTAuth ... - JetBrains YouTrack
When unable to get JWKS, JWTAuth swallows the underlying exception and only logs the last message. This issue was imported from GitHub issue: ......
Read more >
WhatsNew 2.2 | Ktor Framework
Logging : the plugin instantiates the default logger even when a ... to get JWKS, JWTAuth swallows the underlying exception and only logs...
Read more >
CHANGELOG.md - hashicorp/vault - Sourcegraph
logging: Vault Agent supports logging to a specified file path via ... [GH-11696]; auth/aws: Underlying error included in validation failure message.
Read more >
solr/CHANGES.txt - lucene-solr - Git at Google
SOLR-12193: Move some log messages to TRACE level (gezapeti, janhoy) ... leader fails and the underlying errors are not propagated to the client....
Read more >
Apache Solr Release Notes
This file lists Solr's raw release notes with details of every change to Solr. Most people will find the solr-upgrade-notes.adoc file more approachable....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

ktor connection is closed for a long polling requests (ConnectionClosedException)

Next page

Basic Authentication fails with counter-intuitive exception