Unexpected JWT auth response "badmatch"

[tommyli]

Here's the config and I'm running this under Docker.

[log]
level = debug

[chttpd]
enable_cors = true
require_valid_user_except_for_up = true
authentication_handlers = {chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}

[cors]
origins = *
credentials = true
methods = GET, PUT, POST, HEAD, DELETE
headers = accept, authorization, content-type, origin, referer, x-csrf-token, cache-control, x-requested-with

[couchdb]
single_node=true
uuid = 6d057d34277b409fdd27f23e6ed6527f
default_security = everyone

[jwt_auth]
required_claims = exp

[jwt_keys]
rsa:ox0hFY2jKRhMa5Q2Cs63_L1pktqKtivq0EQulGgdV0M = -----BEGIN PUBLIC KEY-----\nMIICtTCCAZ0CBgGIUGyY2zANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNiaW9pbmZvbWV0aG9kcy10ZXN0MB4XDTIzMDUyNTAwNTkzNFoXDTMzMDUyNTAxMDExNFowHjEcMBoGA1UEAwwTYmlvaW5mb21ldGhvZHMtdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALQRdgwoLJXWunAFCHZzMjY410kMTmVjoFoFRtUL6UJUqXhkhepqqM4JhoGk3Lc7RpXnzcA+7DWt3HQGlFHcOwiNZ3BOv3ZNyQwRCgc0jpI8OCtYCBPH2jjZUvukTKBnMP6ld4iW5i81b7J3ufxFcEldCDqQq/JabH6EFmAAm3Hs/ah6g+x4s4ipdAZ/yd4fuDCGNzc0Mh/sYOh4OnZ5c2Qh+nrw5L1mRbS0H6TC/vL1HOVd5iTT1MZKtK18pyHBJsiXc2FNAXFYU2/qiLFE9TTc5tKm9V+FbYHPBKZafvELRNtKAaPGSDp4NgQDey/+JFT8SEdmOGGVEdmVspVjHhUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAKWxq/h3VtzKFMFlUmyKD+dlOsx0p1zDtHgoTUZC6lDHDhfWMv5216I0+uVazXjqixi/xJdZtQchXthXulUzjHMs6tm/+wMgREf2uDoGDQeWveVIUZQpG+X1M2JQ1hw4Su+jKIhwOZey+/VcmTsL0ZaVqW3q1C1X5TUPCuW3zf/sQyr2blbOquWWoQuCOY3PNN6frnox3tSMzT4PUqVRfh/TqhbfL7mPhqwPOfEDbQPmIleMIcvEfiPtAalmduD49od9U35yCBeZlt6baQnQm9lI0YG29gjpiwQ/ZiFCoV+3t76NDeBPgH/XNA9bFTDoiEPfyzKOqPGML1MJvOvTOyg==\n-----END PUBLIC KEY-----\n

[admins]
admin = -pbkdf2-30ee3c0240b4e9c1533ed6671a61c37a88d284c7,bef7d0e2b9283d3a331bff3ad90a2a10,10

Here's the curl test and output.

curl -L -H "Authorization: Bearer $IDTOKEN" http:https://localhost:5984/_session

< HTTP/1.1 500 Internal Server Error
< Cache-Control: must-revalidate
< Content-Length: 1062
< Content-Type: application/json
< Date: Fri, 17 May 2024 15:37:56 GMT
< Server: CouchDB/3.3.3 (Erlang OTP/24)
< X-Couch-Request-ID: 5ae5a78a5a
< X-Couch-Stack-Hash: 655401945
< X-CouchDB-Body-Time: 0
<
{"error":"badmatch","reason":"{error,{asn1,{{wrong_tag,{{expected,6},{got,2,{2,<<1,136,80,108,152,219>>}}}},\n              [{'OTP-PUB-KEY',match_tags,2,\n                              [{file,\"OTP-PUB-KEY.erl\"},{line,23999}]},\n               {'OTP-PUB-KEY',decode_object_identifier,2,\n                              [{file,\"OTP-PUB-KEY.erl\"},{line,23557}]},\n               {'OTP-PUB-KEY',dec_AlgorithmIdentifier,2,\n                              [{file,\"OTP-PUB-KEY.erl\"},{line,14558}]},\n               {'OTP-PUB-KEY',dec_SubjectPublicKeyInfo,2,\n                              [{file,\"OTP-PUB-KEY.erl\"},{line,15014}]},\n               {'OTP-PUB-KEY',decode,2,[{file,\"OTP-PUB-KEY.erl\"},{line,1232}]},\n               {public_key,der_decode,2,[{file,\"public_key.erl\"},{line,358}]},\n               {public_key,pem_entry_decode,1,\n                           [{file,\"public_key.erl\"},{line,226}]},\n               {jwtf_keystore,get_from_config,2,\n                              [{file,\"src/jwtf_keystore.erl\"},{line,120}]}]}}}","ref":655401945}
* Connection #0 to host localhost left intact                                                                                   /0.0s
NOTE: Picked up JDK_JAVA_OPTIONS:

What does this mean? Even if my configuration is incorrect, this kind of error is a bit cryptic to understand.

[big-r81]

Hi,

can you paste your JWT token?

[rnewson]

I think it's a decode error for the public key in the config, @big-r81

we don't need the token

[rnewson]

we should catch and rethrow as something more presentable, but the config is wrong.

[rnewson]

4> public_key:pem_decode(BinPEM).
[{'SubjectPublicKeyInfo',<<48,130,2,181,48,130,1,157,2,6,
                           1,136,80,108,152,219,48,13,6,9,
                           42,134,72,134,247,13,...>>,
                         not_encrypted}]
5> [PEMEntry] =public_key:pem_decode(BinPEM).
[{'SubjectPublicKeyInfo',<<48,130,2,181,48,130,1,157,2,6,
                           1,136,80,108,152,219,48,13,6,9,
                           42,134,72,134,247,13,...>>,
                         not_encrypted}]
6> public_key:pem_entry_decode(PEMEntry).
** exception error: no match of right hand side value {error,{asn1,{{wrong_tag,{{expected,6},
                                                                                {got,2,{2,<<1,136,80,108,152,219>>}}}},
                                                                    [{'OTP-PUB-KEY',match_tags,2,
                                                                                    [{file,"OTP-PUB-KEY.erl"},{line,23999}]},
                                                                     {'OTP-PUB-KEY',decode_object_identifier,2,
                                                                                    [{file,"OTP-PUB-KEY.erl"},{line,23557}]},
                                                                     {'OTP-PUB-KEY',dec_AlgorithmIdentifier,2,
                                                                                    [{file,"OTP-PUB-KEY.erl"},{line,14558}]},
                                                                     {'OTP-PUB-KEY',dec_SubjectPublicKeyInfo,2,
                                                                                    [{file,"OTP-PUB-KEY.erl"},{line,15014}]},
                                                                     {'OTP-PUB-KEY',decode,2,
                                                                                    [{file,"OTP-PUB-KEY.erl"},{line,1232}]},
                                                                     {public_key,der_decode,2,
                                                                                 [{file,"public_key.erl"},{line,358}]},
                                                                     {public_key,pem_entry_decode,1,
                                                                                 [{file,"public_key.erl"},{line,226}]},
                                                                     {erl_eval,do_apply,6,[{file,"erl_eval.erl"},{line,689}]}]}}}
     in function  public_key:der_decode/2 (public_key.erl, line 362)
     in call from public_key:pem_entry_decode/1 (public_key.erl, line 226)
7>

[tommyli]

OK, thanks for confirming that the key config is wrong, I worked out what happened.

I'm using Keycloak and I used the certificate instead of the public key from the realm settings. The cryptic error is probably trying to parse a public key but was given a certificate, i.e. the error {"error":"bad_request","reason":"not an RSA public key"} is a lot more meaningful as soon as I used -----BEGIN CERTIFICATE----- instead of -----BEGIN PUBLIC KEY-----.

It's working now, thanks for your help.

[rnewson]

:)

[rnewson]

yup, error handling is poor here, we'll improve it.