OpenMetadata/openmetadata-docs/content/v1.6.x/deployment/security/jwt-troubleshooting.md

---
title: JWT validation Troubleshooting
slug: /deployment/security/jwt-troubleshooting
collate: false
---
# JWT Troubleshooting

Add the `{domain}:{port}/api/v1/sytem/config/jwks` in the list of publicKeys

```yaml
  authentication:
    provider: "google"
    publicKeys:
    - "https://www.googleapis.com/oauth2/v3/certs"
    - "http://localhost:8585/api/v1/system/config/jwks" (your domain and port)
```

This config with `"http://localhost:8585/api/v1/system/config/jwks"` is the default behavior. If you are configuring and expecting a JWT token to work, configuring with that extra URL is required.

JWT Tokens are issued by private certificates.

We need public keys to decrypt it and get that token's user name, expiry time, etc.

In OpenMetadata users can enable SSO for users to login and use JWT tokens issued by OpenMetadata for bots
The way OpenMetadata issues a JWT Token is using this [config](https://github.com/open-metadata/OpenMetadata/blob/main/conf/openmetadata.yaml#L155). It uses the `rsapublicKeyFilePath` file to generate a token.

When the ingestion workflow uses this token, we use `rsapublicKeyPath` to decrypt it. The way we do this is using the response from this endpoint `http://localhost:8585/api/v1/system/config/jwks`.


## Get JWT token from UI.

First Open Open-Metadata UI than go to settings > Bots > Ingestion Bot

{% image
  src="/images/v1.6/deployment/troubleshoot/jwt-token.png"
  alt="jwt-token"
  caption="JWT token in OpenMetadata UI"
 /%}

You can validate that in [jwt.io](https://jwt.io/). if there's something wrong on how the JWT token was generated.


{% image
  src="/images/v1.6/deployment/troubleshoot/jwt-validation.png"
  alt="jwt.io"
  caption="jwt.io tool for validating JWT claims"
 /%}

### Resolving the "Failed in filtering request: Not Authorized! Token not present" Error

If you encounter the error message **"Failed in filtering request: Not Authorized! Token not present"**, verify the **`enableSecureSocketConnection`** environment setting.

Ensure that **`enableSecureSocketConnection: ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false}`** is set to `false` if it is currently set to `true`.
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00			`---`
			`title: JWT validation Troubleshooting`
			`slug: /deployment/security/jwt-troubleshooting`
DOCS - OSS deployment is flagged as Collate False (#17722) 2024-09-05 10:30:31 +02:00			`collate: false`
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00			`---`
			`# JWT Troubleshooting`

			Add the `{domain}:{port}/api/v1/sytem/config/jwks` in the list of publicKeys

			```yaml
			`authentication:`
			`provider: "google"`
			`publicKeys:`
			`- "https://www.googleapis.com/oauth2/v3/certs"`
			`- "http://localhost:8585/api/v1/system/config/jwks" (your domain and port)`
			```

			This config with `"http://localhost:8585/api/v1/system/config/jwks"` is the default behavior. If you are configuring and expecting a JWT token to work, configuring with that extra URL is required.

			`JWT Tokens are issued by private certificates.`

			`We need public keys to decrypt it and get that token's user name, expiry time, etc.`

			`In OpenMetadata users can enable SSO for users to login and use JWT tokens issued by OpenMetadata for bots`
			The way OpenMetadata issues a JWT Token is using this [config](https://github.com/open-metadata/OpenMetadata/blob/main/conf/openmetadata.yaml#L155). It uses the `rsapublicKeyFilePath` file to generate a token.

			When the ingestion workflow uses this token, we use `rsapublicKeyPath` to decrypt it. The way we do this is using the response from this endpoint `http://localhost:8585/api/v1/system/config/jwks`.


			`## Get JWT token from UI.`

			`First Open Open-Metadata UI than go to settings > Bots > Ingestion Bot`

			`{% image`
DOCS - Use the right partials and images dirs for 1.6 (#18917) 2024-12-04 11:44:41 +01:00			`src="/images/v1.6/deployment/troubleshoot/jwt-token.png"`
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00			`alt="jwt-token"`
			`caption="JWT token in OpenMetadata UI"`
			`/%}`

			`You can validate that in [jwt.io](https://jwt.io/). if there's something wrong on how the JWT token was generated.`


			`{% image`
DOCS - Use the right partials and images dirs for 1.6 (#18917) 2024-12-04 11:44:41 +01:00			`src="/images/v1.6/deployment/troubleshoot/jwt-validation.png"`
docs: add 1.5.x-SNAPSHOT (#16694) 2024-06-18 15:53:06 +02:00			`alt="jwt.io"`
			`caption="jwt.io tool for validating JWT claims"`
			`/%}`
Docs: JWT Troubleshooting Doc Updation (#18602) 2024-11-12 15:47:23 +05:30
			`### Resolving the "Failed in filtering request: Not Authorized! Token not present" Error`

			If you encounter the error message "Failed in filtering request: Not Authorized! Token not present", verify the `enableSecureSocketConnection` environment setting.

			Ensure that `enableSecureSocketConnection: ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false}` is set to `false` if it is currently set to `true`.