JWT Token Validation Issue in On-Premises Setup with Keycloak and DAB

[yougnoli]

Hi everyone,

I'm trying to set up an on-premises environment with no cloud dependencies, and I'm encountering issues with JWT token validation. Here's my current setup:

• Docker container for SQL Server
• Docker container for Keycloak (running on https://localhost:8443 with a self-signed certificate)
• Data API Builder (DAB) installed locally (running on https://localhost:5001)

My goal is to use DAB in combination with Keycloak for JWT authentication.

Here’s the relevant part of my DAB configuration file regarding the host:

"host": {
    "cors": {
        "origins": [
            "*"
        ],
        "allow-credentials": false
    },
    "authentication": {
        "provider": "jwt",
        "jwt": {
            "audience": "dab-client",
            "issuer": "https://localhost:8443/realms/TestDAB"
        }
    },
    "mode": "development"
}

Issue: When DAB attempts to validate the JWT token issued by Keycloak, I receive an error related to token validation, specifically with the issuer (https://localhost:8443/realms/TestDAB). I’m using a self-signed certificate for Keycloak and have imported the certificate into the Windows Server trust store where DAB is running, but the issue persists.

Has anyone experienced a similar setup? What can I do to resolve this token validation issue?

Thank you in advance for any suggestions!

[seantleonard]

Hi @yougnoli , Can you provide the exact issuer error that is printed to the console? That would help us repro and determine the exact cause of the validation failure: does it not like the cert? is the cert endpoint reachable?

When DAB attempts to validate the JWT token issued by Keycloak, I receive an error related to token validation, specifically with the issuer (https://localhost:8443/realms/TestDAB).

[yougnoli]

Hi @seantleonard ,

Thank you for your response. Here are the details you requested:

Error Details

When DAB attempts to validate the JWT token issued by Keycloak, the following error is logged in the console:

Request starting HTTP/1.1 GET https://localhost:5001/api/Order - - -
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
      Failed to validate the token.
      Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
         at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
         at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
         at Microsoft.IdentityModel.Tokens.InternalValidators.ValidateAfterSignatureFailed(SecurityToken securityToken, Nullable`1 notBefore, Nullable`1 expires, IEnumerable`1 audiences, TokenValidationParameters validationParameters, BaseConfiguration configuration)
         at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
         at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
         at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
      Bearer was not authenticated. Failure message: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
      Bearer was not authenticated. Failure message: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[12]
      AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/1.1 GET https://localhost:5001/api/Order - 401 0 - 22.7112ms

JWT Token Payload

Below is the payload of the JWT token issued by Keycloak:

{
  "exp": 1725816431,
  "iat": 1725816131,
  "jti": "35cf9d31-569d-4178-b8f7-9c5c92bd7ac1",
  "iss": "https://localhost:8443/realms/TestDAB",
  "aud": "account",
  "sub": "29ae7040-6f89-4857-a46b-08ee19589898",
  "typ": "Bearer",
  "azp": "dab-client",
  "sid": "43cf2ac8-354c-40f7-b800-3cc44935ea0c",
  "acr": "1",
  "allowed-origins": [
    "https://localhost:5001"
  ],
  "realm_access": {
    "roles": [
      "authenticated",
      "default-roles-testdab",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "email profile",
  "email_verified": true,
  "preferred_username": "oscar"
}

Additional Context

• The iss (issuer) value in the JWT token is "https://localhost:8443/realms/TestDAB", which matches the issuer value in the DAB configuration file.
• The self-signed certificate used by Keycloak has been imported into the Windows Server trust store where DAB is running.
• Despite this setup, DAB is still unable to validate the token and reports that validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.

Questions

1. Is there any specific configuration or step I might be missing to ensure that the issuer is correctly validated?
2. Could the self-signed certificate be causing this issue, even though it is correctly installed and trusted?
3. Are there any additional documentation or sample configurations available for integrating DAB with external JWT providers like Keycloak in an on-premises setup?

Thank you again for your help, and I appreciate any further guidance you can provide.

[yougnoli]

Solution: Setting Up DAB with SQL Server and Keycloak on Windows in an On-Premises Environment

Hi everyone,

I found a solution to the issue I was facing with JWT token validation in my on-premises setup. Below, I’ll outline the steps I took to get everything working smoothly. This setup involves running DAB on a Windows machine, SQL Server on-premises, and using Keycloak as the token provider—all configured to work over HTTPS. Note that this is a quick local setup guide intended to help others achieve a similar configuration without relying on cloud services.

1. Install DAB Locally

First, install DAB on your Windows machine (requires .NET 8). You can follow the official Microsoft guide here.

2. Set Up SQL Server

Create an on-premises SQL Server instance. This can either be on your local machine or in a Docker container. In my case, I needed it on-premises.

Here’s the SQL setup I used:

CREATE DATABASE Test;
GO

CREATE LOGIN Oscar WITH PASSWORD = 'SecurePassword123!';
GO

USE Test;
GO

CREATE USER Oscar FOR LOGIN Oscar;
GO

ALTER ROLE db_datareader ADD MEMBER Oscar;
GO

CREATE TABLE Orders (
    id INT IDENTITY(1,1) PRIMARY KEY,
    username NVARCHAR(100) NOT NULL,
    orderid INT NOT NULL,
    privacy NVARCHAR(50),
    info NVARCHAR(255)
);
GO

INSERT INTO Orders (username, orderid, privacy, info)
VALUES 
('Oscar', 1001, 'Private', 'Order details for Oscar #1'),
('Oscar', 1002, 'Public', 'Order details for Oscar #2'),
('Hannah', 2001, 'Public', 'Order details for Hannah');
GO

For Row-Level Security (RLS):

CREATE FUNCTION dbo.f_Orders(@username varchar(max))
RETURNS TABLE
WITH SCHEMABINDING
AS RETURN SELECT 1 AS fn_securitypredicate_result
WHERE @username = CAST(SESSION_CONTEXT(N'name') AS varchar(max));

CREATE SECURITY POLICY dbo.SecurityPolicy_Orders
ADD FILTER PREDICATE dbo.f_Orders(username)
ON dbo.Orders;

EXEC sp_set_session_context 'name', 'Oscar';

SELECT * FROM Orders;
GO

3. Create a .env File for Secure Configuration

To avoid hardcoding sensitive information, I created a .env file with the following content:

# SQL Server connection string
SQL_CONNECTION_STRING=Server=localhost;User Id=sa;Database=Test;Password=password123;TrustServerCertificate=True;Encrypt=True; 

# HTTPS configuration for DAB
ASPNETCORE_URLS=https://localhost:5001;http://localhost:5000

4. Create a Self-Signed Certificate for HTTPS in Keycloak

Use OpenSSL to create a self-signed certificate:

openssl req -x509 -newkey rsa:4096 -keyout keycloak.key -out keycloak.crt -days 365 -nodes -subj "/CN=localhost"

Then, install this certificate on the Windows machine running DAB by double-clicking the certificate file and installing it in the "Trusted Root Certification Authorities" store.

5. Set Up Keycloak in Docker

Here’s the Dockerfile I used to set up Keycloak with HTTPS:

FROM quay.io/keycloak/keycloak:latest

# Copy the certificates
COPY certs/keycloak.crt /etc/x509/https/tls.crt
COPY certs/keycloak.key /etc/x509/https/tls.key

# Set environment variables for admin user
ENV KEYCLOAK_ADMIN=admin
ENV KEYCLOAK_ADMIN_PASSWORD=admin

# Start the server with HTTPS configuration
ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start", "--https-certificate-file=/etc/x509/https/tls.crt", "--https-certificate-key-file=/etc/x509/https/tls.key", "--hostname-strict=false"]

To build and run the container:

docker build -t keycloak-https .
docker run -d --name keycloak-https -p 8443:8443 keycloak-https

6. Configure Keycloak

Access Keycloak at https://localhost:8443 and log in with the credentials admin/admin.

1. Create a realm.

2. Create a client.
   

3. Create a user with credentials (deactive temporary password).

4. Create a realm role (e.g., authenticated).
   

5. Create a name client scope (will be executed in SQL Server session context to perform the API call under the user Oscar in this case)
   

6. Deactivate all the Required actions in Authentication settings (bottom left) - only for test purposes.
   

7. Test JWT Token in Postman

Use Postman to make a request to the Keycloak token endpoint:

POST https://localhost:8443/realms/TestDAB/protocol/openid-connect/token

With the following body:

grant_type=password
client_id=dab-client
username=Oscar
password=password

Verify the token and its claims on jwt.io.

8. DAB Configuration File

Here’s the dab-config.json I used:

{
  "$schema": "https://github.com/Azure/data-api-builder/releases/download/v1.2.10/dab.draft.schema.json",
  "data-source": {
    "database-type": "mssql",
    "connection-string": "@env('SQL_CONNECTION_STRING')",
    "options": {
      "set-session-context": true
    }
  },
  "runtime": {
    "rest": {
      "enabled": true,
      "path": "/api",
      "request-body-strict": true
    },
    "graphql": {
      "enabled": true,
      "path": "/graphql",
      "allow-introspection": true
    },
    "host": {
      "cors": {
        "origins": ["*"],
        "allow-credentials": false
      },
      "authentication": {
        "provider": "jwt",
        "jwt": {
          "audience": "account",
          "issuer": "https://localhost:8443/realms/TestDAB"
        }
      },
      "mode": "development"
    }
  },
  "entities": {
    "Orders": {
      "source": {
        "object": "dbo.Orders",
        "type": "table"
      },
      "graphql": {
        "enabled": true,
        "type": {
          "singular": "Order",
          "plural": "Orders"
        }
      },
      "rest": {
        "enabled": true
      },
      "permissions": [
        {
          "role": "authenticated",
          "actions": [
            {
              "action": "read"
            }
          ]
        }
      ]
    }
  }
}

9. Test the Setup

Finally, make a request to https://localhost:5001/api/Orders using the Bearer token you obtained earlier. If everything is set up correctly, only the rows associated with Oscar should be returned.

The directory structure on my machine is as follows:

dab/
│
├── dab-config.json
├── .env
├── Dockerfile
│
└── certs/
    ├── keycloak.crt
    └── keycloak.key

---

This setup helped me resolve the JWT validation issue, and I hope it helps others facing similar challenges. If you have any questions or need further clarification, feel free to ask!