From 8efad1d170d0c956652cb86fa9a6923a5e1e0f5e Mon Sep 17 00:00:00 2001 From: Maycon Santos Date: Fri, 29 Nov 2024 10:06:40 +0100 Subject: [PATCH] Add guide when signing key is not found (#2942) Some users face issues with their IdP due to signing key not being refreshed With this change we advise users to configure key refresh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * removing leftover --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- management/server/jwtclaims/jwtValidator.go | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/management/server/jwtclaims/jwtValidator.go b/management/server/jwtclaims/jwtValidator.go index d5c1e7c9e..b91616fa5 100644 --- a/management/server/jwtclaims/jwtValidator.go +++ b/management/server/jwtclaims/jwtValidator.go @@ -77,6 +77,8 @@ type JWTValidator struct { options Options } +var keyNotFound = errors.New("unable to find appropriate key") + // NewJWTValidator constructor func NewJWTValidator(ctx context.Context, issuer string, audienceList []string, keysLocation string, idpSignkeyRefreshEnabled bool) (*JWTValidator, error) { keys, err := getPemKeys(ctx, keysLocation) @@ -124,12 +126,18 @@ func NewJWTValidator(ctx context.Context, issuer string, audienceList []string, } publicKey, err := getPublicKey(ctx, token, keys) - if err != nil { - log.WithContext(ctx).Errorf("getPublicKey error: %s", err) - return nil, err + if err == nil { + return publicKey, nil } - return publicKey, nil + msg := fmt.Sprintf("getPublicKey error: %s", err) + if errors.Is(err, keyNotFound) && !idpSignkeyRefreshEnabled { + msg = fmt.Sprintf("getPublicKey error: %s. You can enable key refresh by setting HttpServerConfig.IdpSignKeyRefreshEnabled to true in your management.json file and restart the service", err) + } + + log.WithContext(ctx).Error(msg) + + return nil, err }, EnableAuthOnOptions: false, } @@ -229,7 +237,7 @@ func getPublicKey(ctx context.Context, token *jwt.Token, jwks *Jwks) (interface{ log.WithContext(ctx).Debugf("Key Type: %s not yet supported, please raise ticket!", jwks.Keys[k].Kty) } - return nil, errors.New("unable to find appropriate key") + return nil, keyNotFound } func getPublicKeyFromECDSA(jwk JSONWebKey) (publicKey *ecdsa.PublicKey, err error) { @@ -310,4 +318,3 @@ func getMaxAgeFromCacheHeader(ctx context.Context, cacheControl string) int { return 0 } -