Debug OAuth

  1. Make sure that the status of the external auth policy shows ACCEPTED. Note that your external auth resources might exist in the gloo-mesh namespace instead.

      kubectl get extauthpolicy oidc-auth -n gloo-mesh -o yaml
      
  2. Get the authconfig resource that was created for your policy and make sure that it shows ACCEPTED.

      kubectl get authconfig -n gloo-mesh -o yaml
      
  3. If you used environment variables, such as $CLIENT_ID or the OIDC provider’s $URL, make sure that you entered the values of these environment variables in the external auth policy. If you used the variable names, the values might not be properly replaced.

  4. To get detailed logs for the external auth service, change the log level to DEBUG.

    1. Edit the external auth service.

        kubectl edit deploy -n gloo-mesh ext-auth-service
        
    2. In the spec.container.env section, find the LOG_LEVEL environment variable and set it to DEBUG.

        ...
      spec:
        containers:
        - env:
          - name: LOG_LEVEL
            value: DEBUG
        
    3. Make sure that the external auth service pod restarts.

        kubectl get po -n gloo-mesh -l app=ext-auth-service
        
  5. In a separate terminal, get the logs of the external auth service.

      kubectl logs -n gloo-mesh pods/$(kubectl get pod -l app=ext-auth-service -A -o jsonpath='{.items[0].metadata.name}')
      
  6. Send the curl request that is failing and review the logs that are returned by the external auth service.

Example logs of common issues and steps to resolve

Review the following example logs from the external auth server for common issues with your OAuth external auth policies.

No token present

Example log:

  {
  "level": "debug",
  "logger": "ext-auth.ext-auth-service",
  "msg": "no token present. request is not authorized",
}
  

Steps to resolve:

Make sure that the access token that you included in the request is correct and try again.

Token validation failed with no keys in JWKS

Example log:

  {
  "level": "debug",
  "logger": "ext-auth.ext-auth-service",
  "msg": "token validation failed",
  "error": "requested ID: [Su3RMxHZhPYwifbD56Pi9zv3SC75OmxpqtZrTiD7Iz0]: JWKS does not contain any keys with requested ID: invalid token",
  "errorVerbose": "requested ID: [Su3RMxHZhPYwifbD56Pi9zv3SC75OmxpqtZrTiD7Iz0]\n\tjwt.glob..func1:/src/pkg/config/oauth/token_validation/jwt/validator.go:26\nJWKS does not contain any keys with requested ID\n\ttoken_validation.init:/src/pkg/config/oauth/token_validation/errors.go:14\ninvalid token\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6502\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6502\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6502\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6525\n\ttoken_validation.init:/src/pkg/config/oauth/token_validation/errors.go:14"
}
  

Steps to resolve:

Make sure that the JWKS that you provided in the OAuth external auth policy is correct. For example, you might have used a JWKS from the wrong authorization server URL, either in the policy or in the endpoints that you used when deploying the frontend app for the portal server.

For more information, see the JwtValidation API docs.

Token validation failed with signing error

Example log:

  {
  "level": "debug",
  "logger": "ext-auth.ext-auth-service",
  "msg": "token validation failed",
  "error": "token was signed with [HS256], but the matching JWK with ID [sKvIXItmMfk8WPNmsOsGtv0H1DKXMUa-gq9atuH2Oo4] has alg [RS256]: algorithm mismatch: invalid token",
  "errorVerbose": "token was signed with [HS256], but the matching JWK with ID [sKvIXItmMfk8WPNmsOsGtv0H1DKXMUa-gq9atuH2Oo4] has alg [RS256]\n\tjwt.glob..func2:/src/pkg/config/oauth/token_validation/jwt/validator.go:29\nalgorithm mismatch\n\ttoken_validation.init:/src/pkg/config/oauth/token_validation/errors.go:15\ninvalid token\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6502\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6502\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6502\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6525\n\ttoken_validation.init:/src/pkg/config/oauth/token_validation/errors.go:15"
}
  
  {
  "level": "debug",
  "logger": "ext-auth.ext-auth-service",
  "msg": "token validation failed",
  "error": "crypto/rsa: verification error"
}
  

Steps to resolve:

Make sure that your token is configured with the correct signing algorithm, such as RS256.

Token is expired

Example log:

  {
  "level": "debug",
  "logger": "ext-auth.ext-auth-service",
  "msg": "token validation failed",
  "error": "token is expired: invalid token",
  "errorVerbose": "token is expired\n\ttoken_validation.init:/src/pkg/config/oauth/token_validation/errors.go:17\ninvalid token\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6502\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6502\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6502\n\truntime.doInit:/usr/local/go/src/runtime/proc.go:6525\n\ttoken_validation.init:/src/pkg/config/oauth/token_validation/errors.go:17"
}
  

Steps to resolve:

Try refreshing your login credentials. For example, log out and log back in to the portal frontend app.