JWT validation failure: error getting the keys from the key func: could not get well known endpoints from url

I have a Go backend that uses github user zett-8’s go-clean-echo as a template. Their template uses a middleware explicitly using auth0. I have a React frontend that properly uses auth0 for login and for getting JWT tokens to interact with the backend, which uses an auth0 API in the jwt middleware.

The middleware is as follows:

package middlewares

import (
	"fmt"
	"net/http"
	"net/url"
	"os"
	"strings"
	"time"

	"tlmgateway/configs"

	"github.com/auth0/go-jwt-middleware/v2/jwks"
	"github.com/auth0/go-jwt-middleware/v2/validator"
	"github.com/labstack/echo/v4"
	// "github.com/zett-8/go-clean-echo/configs"
)

func JwtMiddleware() (echo.MiddlewareFunc, error) {
	// auth0Config := configs.Auth0Config

	auth0Config := configs.Auth0ConfigType{
		Domain:             os.Getenv("AUTH0_DOMAIN"), // my tenant domain
		ClientID:           os.Getenv("AUTH0_CLIENTID"), // client ID for my single-page application
		Audience:           []string{os.Getenv("AUTH0_AUDIENCE")}, // identifier URL for my custom API
		Issuer:             os.Getenv("AUTH0_DOMAIN"), // my tenant domain
		SignatureAlgorithm: validator.RS256,
		CacheDuration:      15 * time.Minute,
	}

	issuerURL, err := url.Parse(auth0Config.Issuer)
	if err != nil {
		return nil, err
	}

	provider := jwks.NewCachingProvider(issuerURL, auth0Config.CacheDuration)

	jwtValidator, err := validator.New(
		provider.KeyFunc,
		auth0Config.SignatureAlgorithm,
		issuerURL.String(),
		auth0Config.Audience,
	)
	if err != nil {
		return nil, err
	}

	return func(next echo.HandlerFunc) echo.HandlerFunc {
		return func(c echo.Context) error {

			authorization := c.Request().Header.Get("Authorization")
			if authorization == "" {
				return echo.NewHTTPError(http.StatusUnauthorized, "No Authorization Header")
			}

			if !strings.HasPrefix(authorization, "Bearer ") {
				return echo.NewHTTPError(http.StatusUnauthorized, "Invalid Authorization Header")
			}

			token := strings.TrimPrefix(authorization, "Bearer ")

			fmt.Printf("\nToken: %s\n\n", token)

			claims, err := jwtValidator.ValidateToken(c.Request().Context(), token)
			if err != nil {
				fmt.Printf("\n%s\n\n", err)
				// logger.Error("Invalid Token: ", zap.Error(err))
				return echo.NewHTTPError(http.StatusUnauthorized, "Invalid Token")
			}

			c.Set("claims", claims.(*validator.ValidatedClaims))

			return next(c)
		}
	}, nil
}

the call to jwtValidator.ValidateToken causes an error, which is the following:

failed to deserialize token claims: error getting the keys from the key func: could not get well known endpoints from url <my_domain>/.well-known/openid-configuration: Get "<my_domain>/.well-known/openid-configuration": unsupported protocol scheme ""

The token generated by getAccessTokenSilently on my frontend is valid, as confirmed by https://jwt.io/

While I have been able to find vanishingly little information on this particular error (essentially, one forum post here where the user said they just gave up), I have the feeling it has something to do with the configuration of the tenant/domain.

What might be the root cause(s) of this error, and how might I address them?

Hello @mbonnet welcome to the community!

Thanks for sharing your code and a detailed description of the issue you’re seeing.

I tend to agree!

What does your your AUTH0_DOMAIN look like? Feel free to redact the actual name if you want to share here. I know in our sample app we add the scheme (https) and a forward slash (/) to the issuer url:

issuerURL, err := url.Parse("https://" + os.Getenv("AUTH0_DOMAIN") + "/")

If that isn’t the issue, then I definitely recommend pulling down the sample itself and configuring to your environment - I would be interested to know if you receive any error there. If not, it could be helpful to compare against your code.

Keep us posted!

The issue was indeed the lack of the preceding scheme and following forward slash. Thank you so much!

1 Like

No problem, happy to help! Glad you were able to get this sorted :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.