mirror of
https://github.com/open-metadata/OpenMetadata.git
synced 2025-10-31 02:29:03 +00:00
fb548fc577
* Add: JWT validation troubleshooting * Add: GKE troubleshooting * Add: GKE troubleshooting * Update openmetadata-docs/content/deployment/kubernetes/gke-troubleshooting.md Co-authored-by: Nahuel <nahuel@getcollate.io> * Update openmetadata-docs/content/deployment/kubernetes/gke-troubleshooting.md Co-authored-by: Nahuel <nahuel@getcollate.io> * Update openmetadata-docs/content/deployment/security/jwt-troubleshooting.md Co-authored-by: Nahuel <nahuel@getcollate.io> * Update openmetadata-docs/content/deployment/security/jwt-troubleshooting.md Co-authored-by: Nahuel <nahuel@getcollate.io> * Update openmetadata-docs/content/deployment/security/jwt-troubleshooting.md Co-authored-by: Nahuel <nahuel@getcollate.io> * Update openmetadata-docs/content/deployment/security/jwt-troubleshooting.md Co-authored-by: Nahuel <nahuel@getcollate.io> * Update openmetadata-docs/content/deployment/kubernetes/gke-troubleshooting.md Co-authored-by: Nahuel <nahuel@getcollate.io> * Update jwt-troubleshooting.md * Update openmetadata-docs/content/deployment/kubernetes/gke-troubleshooting.md Co-authored-by: Nahuel <nahuel@getcollate.io> * Update openmetadata-docs/content/deployment/security/jwt-troubleshooting.md Co-authored-by: Nahuel <nahuel@getcollate.io> * Update openmetadata-docs/content/deployment/security/jwt-troubleshooting.md Co-authored-by: Nahuel <nahuel@getcollate.io> Co-authored-by: Nahuel <nahuel@getcollate.io>
50 lines
1.7 KiB
Markdown
50 lines
1.7 KiB
Markdown
---
|
|
title: JWT validation Troubleshooting
|
|
slug: /deployment/security/jwt-troubleshooting
|
|
---
|
|
# JWT Troubleshooting
|
|
|
|
Add the `{domain}:{port}/config/jwks` in the list of publicKeys
|
|
|
|
```yaml
|
|
authentication:
|
|
provider: "google"
|
|
publicKeys:
|
|
- "https://www.googleapis.com/oauth2/v3/certs"
|
|
- "http://localhost:8585/api/v1/config/jwks" (your domain and port)
|
|
```
|
|
|
|
This config with `"http://localhost:8585/api/v1/config/jwks"` is the default behavior. If you are configuring and expecting a JWT token to work, configuring with that extra URL is required.
|
|
|
|
JWT Tokens are issued by private certificates.
|
|
|
|
We need public keys to decrypt it and get that token's user name, expiry time, etc.
|
|
|
|
In OpenMetadata users can enable SSO for users to login and use JWT tokens issued by OpenMetadata for bots
|
|
The way OpenMetadata issues a JWT Token is using this [config](https://github.com/open-metadata/OpenMetadata/blob/main/conf/openmetadata.yaml#L155). It uses the `rsapublicKeyFilePath` file to generate a token.
|
|
|
|
When the ingestion workflow uses this token, we use `rsapublicKeyPath` to decrypt it. The way we do this is using the response from this endpoint `http://localhost:8585/api/v1/config/jwks`.
|
|
|
|
|
|
## Get JWT token from UI.
|
|
|
|
First Open Open-Metadata UI than go to settings > Bots > Ingestion Bot
|
|
|
|
<div className="w-100 flex justify-center">
|
|
<Image
|
|
src="/images/deployment/troubleshoot/jwt-token.png"
|
|
alt="jwt-token"
|
|
caption="JWT token in Openmetada UI"
|
|
/>
|
|
</div>
|
|
|
|
You can validate that in [jwt.io](https://jwt.io/). if there's something wrong on how the JWT token was generated.
|
|
|
|
<div className="w-100 flex justify-center">
|
|
<Image
|
|
src="/images/deployment/troubleshoot/jwt-validation.png"
|
|
alt="jwt.io"
|
|
caption="jwt.io tool for validating JWT claims"
|
|
/>
|
|
</div>
|