Unknown error when trying to auth with JWT

[Karalix]

Hello all,

Description

I have been trying to use the JWT authentication with Keycloak, but I get an unknown_error 500 from Couch.

My setup

WSL2 Ubuntu 20.04
CouchDB 3.1.1

My local.ini file :

[chttpd]
authentication_handlers = {chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}

[jwt_auth]
required_claims =

[jwt_keys]
rsa:<my-kid> = -----BEGIN PUBLIC KEY-----\n<My Public Key>\n-----END PUBLIC KEY-----\n

My JWT :

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "<my-kid>"
}
{
  "exp": 1625690441,
  "iat": 1625690141,
  "jti": "6617a8c6-07ac-4e24-a452-dbaf9f5c34c6",
  "iss": "http://localhost:8081/auth/realms/kronikle",
  "aud": "account",
  "sub": "030d4266-03bf-4668-b76d-25e561152d81",
  "typ": "Bearer",
  "azp": "kronikle-api",
  "session_state": "79a3265e-2d84-48c2-9c4b-0565826e9354",
  [...signature...]
}

My _security document :

{
  "_id": ":_security",
  "members": {
    "roles": [
      "_admin"
    ],
    "names": [
      "alix",
      "bob",
      "030d4266-03bf-4668-b76d-25e561152d81"
    ]
  },
  [...]
}

It works all right when using Basic Auth with user "bob", but I can't make it work when I try to use a fresh JWT from Keycloak.

My curl request :

curl --request PUT \
  --url http://localhost:5984/kronikle/test1-resource:resource3 \
  --header 'Authorization: Bearer <My-JWT>' \
  --header 'Content-Type: application/json' \
  --data '{
	"type": "resource",
	"resourcetype": "text"
}'

The response I get from Couch :

{
  "error": "unknown_error",
  "reason": "badarg",
  "ref": 824051426
}

The logs :

[error] 2021-07-07T21:10:37.059388Z couchdb@127.0.0.1 <0.15461.1> 50e27e68ed req_err(824051426) unknown_error : badarg
    [<<"erlang:list_to_existing_atom/1">>,<<"couch_httpd_auth:-get_configured_claims/0-lc$^0/1-0-/1 L216">>,<<"couch_httpd_auth:-get_configured_claims/0-lc$^0/1-0-/1 L216">>,<<"couch_httpd_auth:jwt_authentication_handler/1 L194">>,<<"chttpd:authenticate_request/2 L532">>,<<"chttpd:process_request/1 L304">>,<<"chttpd:handle_request_int/1 L244">>,<<"mochiweb_http:headers/6 L150">>]
[notice] 2021-07-07T21:10:37.059950Z couchdb@127.0.0.1 <0.15461.1> 50e27e68ed localhost:5984 127.0.0.1 undefined PUT /kronikle/test1-resource:resource3 500 ok 1

I have tried everything I could think of now. If anyone could help me understand what I did wrong here, I would love to hear it.

[Karalix]

So I read again the doc with a rested brain, and discovered that I obviously should do a GET request with my JWT to /_session to authenticate myself. Unfortunately, I still get the same 500 badarg response.

curl --request GET \
  --url http://localhost:5984/_session \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <JWT>'

[Karalix]

Ok, I guess it's the bug in couchDB that is addressed in #3392, I'll wait the next release then.