JWT auth with kecyalock

[mmendozaf]

Question

Dear Comunity,

I'm struggle to setup the jwt auth on mediamtx with keycloak.

JWT generation in keycloack is done and token generated is bellow.

I invoke the path rtsp://idp.consecpro.com:8554/jose?jwt=[ TOKEN ] but I'm getting an error that say.

### {"error":"authentication failed: Get "https://idp.consecpro.com/realms/mediamtx/protocol/openid-connect/certs\": tls: failed to verify certificate: x509: certificate signed by unknown authority"}

Cert if the keycloak is generted on letsencrypt.

How is this certificate validated ? DO I need to import some signing key into

The certs from OpenID are on the following URL
https://idp.consecpro.com/realms/mediamtx/protocol/openid-connect/certs

Any one also fighting with this topic ?

Content Bellow =

{"keys":[{"kid":"AZjjaM8jaNj62iMHlHNzDkcObERPes60DTA5JYAf6Fw","kty":"RSA","alg":"RSA-OAEP","use":"enc","x5c":["MIICnzCCAYcCBgGWFy4cmjANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhtZWRpYW10eDAeFw0yNTA0MDgyMDUyMDBaFw0zNTA0MDgyMDUzNDBaMBMxETAPBgNVBAMMCG1lZGlhbXR4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsNFNcmdtosAp74gxgXQEphfq/slpMFPAJ4zTk8SJG0Gp81WU8rHYLWe3QCO3nUc4Nmz1bWvzhsfirIMbkHSNKJtrfNKzeu/05kJxGB5KlKUAx+8/LIAJzmVzBPNyebrG5uf1gvdxO5wFi6tvkYfedzrRFSJEmwvqb8nspKXrb1qvGPEC19Dk7lbJzOJZOZvaIPQhkCSn8ImszgV4X8n56EHCPa52f47EICbWDInjxv/RQjXVCQQRAlf7QyAexDPAUbSDYuvjVmZeo/f5Kkxnexht0Db86v12Yt1VcMBbyurBlpIvtpVHfjc08WJhy0S31e2uR3Vn9Dq0K3Tob6KYwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBaF03wcWVZGSPfv0MZnIxcqng+vu+RsF7DI77OeURmegL7CDRaIDuhSmdKjZHoyc8SSJ9wkkLItI8LB1J81mxo1n4I9haGF7R/LcYTVVT4+0+1uFJ/VVU94gFnCjgdTx5KXsMgjQX17q1fi7fvCjlAXQA4vHMNi72EonOPjaLY1YWLK2d5552ITGw2fGVWmprjUUJzCPZNnKXG/48JhCgDNlxYXbJ2+o45UMPI3TWj5UrIWZ9Iq83rpyUrzm/4ykzevNyLmzXuSyr/ZndmFIaaiQ+gc6QVnAY0+tONDsp6lX/uLEOr7Bp4Lr0CSRmAxCBnERdA1eCfAoKcqyjtLkG1"],"x5t":"YJU2Oa8OItq2aFZrV-xsOl11DSI","x5t#S256":"PXD8qRDiBa338nez7F6IYoeapNMfihhndlCdasdoWiw","n":"vsNFNcmdtosAp74gxgXQEphfq_slpMFPAJ4zTk8SJG0Gp81WU8rHYLWe3QCO3nUc4Nmz1bWvzhsfirIMbkHSNKJtrfNKzeu_05kJxGB5KlKUAx-8_LIAJzmVzBPNyebrG5uf1gvdxO5wFi6tvkYfedzrRFSJEmwvqb8nspKXrb1qvGPEC19Dk7lbJzOJZOZvaIPQhkCSn8ImszgV4X8n56EHCPa52f47EICbWDInjxv_RQjXVCQQRAlf7QyAexDPAUbSDYuvjVmZeo_f5Kkxnexht0Db86v12Yt1VcMBbyurBlpIvtpVHfjc08WJhy0S31e2uR3Vn9Dq0K3Tob6KYw","e":"AQAB"},{"kid":"118ai6Kc1pmLW9qH1nnXFtKuiLsCga02LQBD4gyPKE8","kty":"RSA","alg":"RS256","use":"sig","x5c":["MIICnzCCAYcCBgGWFy4aQzANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhtZWRpYW10eDAeFw0yNTA0MDgyMDUxNTlaFw0zNTA0MDgyMDUzMzlaMBMxETAPBgNVBAMMCG1lZGlhbXR4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyYKTDtun/+LSm88mO39WqqJANQrEdPF+hQKBgexTvzQsah1BtxtT6glbER8+guyVQcIiKVVyp87ULAS/qK5kHorPlIA1iBnpkRAglnxgMBdm5Cl+BF/RSpI5pARRR2+vUe1QKgY1rPvFbQddrJBcMMOV0tDfZdQX+/VbnI0jcd1Y6E9frNVYw2wy0frFTn6uOo842X31Hyx4FVxW7V5jUUkvC1MeMlefaVaK8uybwf6gyP1V+dFFr3SE5pgb8s3iQw5MIpqq1OvXoyKQlVHbcrtTINr3TeV7rtObdGZR8gtoHntWdSFKefmEieHTCNvl0g/3oKpo3UnYsxuHJxBV5QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB0JipR1dzsEflFlN2tsDoAW243RswR+FeVk7zS0ICTj4Gid59k/iT/nCUHCHSx1aCIjkzvhjBSjZxY5heZo4Rn6h46zOaraSJlTdzWPWB+w2M+Oox49qUg87tUsqwY9s4/qt51jEKa1utTG94mXLUx5dQGcVQxt599s6bX9kwcmO+c3A8oqQRk4D+R/QqW01eBhUfpfVUE8Jt+R7hlXpLDQzIzZkn8UWe0onF0P3AI3dVX3rVy+Y+8xGeA3lB0xU15qdz3JVKj8Y2Ad3+6jRnTC5QaS5M0qkQEsKrrTieyUrZHkvL8Gz/aZ2YIkmTlO62WSjVRk5fRXdQaP9RMNQwa"],"x5t":"T4YPWFhwDCjaBVsJdvZUZAodeAI","x5t#S256":"fy5SwBSDyCMB9oHeUtQCzeTgXuBGhP7OvNJ34nVmN4c","n":"yYKTDtun_-LSm88mO39WqqJANQrEdPF-hQKBgexTvzQsah1BtxtT6glbER8-guyVQcIiKVVyp87ULAS_qK5kHorPlIA1iBnpkRAglnxgMBdm5Cl-BF_RSpI5pARRR2-vUe1QKgY1rPvFbQddrJBcMMOV0tDfZdQX-_VbnI0jcd1Y6E9frNVYw2wy0frFTn6uOo842X31Hyx4FVxW7V5jUUkvC1MeMlefaVaK8uybwf6gyP1V-dFFr3SE5pgb8s3iQw5MIpqq1OvXoyKQlVHbcrtTINr3TeV7rtObdGZR8gtoHntWdSFKefmEieHTCNvl0g_3oKpo3UnYsxuHJxBV5Q","e":"AQAB"}]}

=======
JSON TOKEN

{"exp":1744232372,"iat":1744232072,"jti":"2ad84b6a-7a21-4540-84db-41b0d9bae9e5","iss":"https://idp.consecpro.com/realms/mediamtx","aud":"account","sub":"1ee338ab-759e-4756-8f52-9c469742488b","typ":"Bearer","azp":"mediamtx","sid":"64221016-ef58-49a1-be88-75cb36556d9e","acr":"1","allowed-origins":["https://idp.consecpro.com"],"realm_access":{"roles":["offline_access","uma_authorization","default-roles-mediamtx"]},"resource_access":{"account":{"roles":["manage-account","manage-account-links","view-profile"]}},"scope":"mediamtx email profile","email_verified":false,"mediamtx_permissions":["{"action":"publish", "path": "jose"}","{"action":"read", "path": "jose"}","{"action":"playback", "path": "jose"}"],"name":"jose jose","preferred_username":"jose","given_name":"jose","family_name":"jose","email":"[email protected]"}

==

BASE64 TOKEN

jwt=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxMThhaTZLYzFwbUxXOXFIMW5uWEZ0S3VpTHNDZ2EwMkxRQkQ0Z3lQS0U4In0.eyJleHAiOjE3NDQyMzIzNzIsImlhdCI6MTc0NDIzMjA3MiwianRpIjoiMmFkODRiNmEtN2EyMS00NTQwLTg0ZGItNDFiMGQ5YmFlOWU1IiwiaXNzIjoiaHR0cHM6Ly9pZHAuY29uc2VjcHJvLmNvbS9yZWFsbXMvbWVkaWFtdHgiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiMWVlMzM4YWItNzU5ZS00NzU2LThmNTItOWM0Njk3NDI0ODhiIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibWVkaWFtdHgiLCJzaWQiOiI2NDIyMTAxNi1lZjU4LTQ5YTEtYmU4OC03NWNiMzY1NTZkOWUiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vaWRwLmNvbnNlY3Byby5jb20iXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLW1lZGlhbXR4Il19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJtZWRpYW10eCBlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJtZWRpYW10eF9wZXJtaXNzaW9ucyI6WyJ7XCJhY3Rpb25cIjpcInB1Ymxpc2hcIiwgXCJwYXRoXCI6IFwiam9zZVwifSIsIntcImFjdGlvblwiOlwicmVhZFwiLCBcInBhdGhcIjogXCJqb3NlXCJ9Iiwie1wiYWN0aW9uXCI6XCJwbGF5YmFja1wiLCBcInBhdGhcIjogXCJqb3NlXCJ9Il0sIm5hbWUiOiJqb3NlIGpvc2UiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJqb3NlIiwiZ2l2ZW5fbmFtZSI6Impvc2UiLCJmYW1pbHlfbmFtZSI6Impvc2UiLCJlbWFpbCI6Im1hbmVsQGRlbGludGVybmV0LmNvbSJ9.RMmG6ZCsQwh8AqPgHhSVscYV2y6P4BBz5vE-9JKU_mGVYKB8vqilzs-ERR7tgadWKtkkryngWysGC6gifsANJwcv3wTv_n5N2vykCNLb9G0p4WbrtsK1iVIUfYONXAGbLWDxaZdN2yq9eCw1RyisxT1k5liKlv_YCoYfu7C4K4hVdjvkL53TmhNG7Cv8fcRz_h2rUh0I5QYGsNOHe29Un1YQaL30oZ1vQecYrIZ_s9lYPvwgll9uzQKmMgCOAO6_4zSoQXbF9D5PX82OpPqrkhz1kc9JMXbCGyZ1Y-2ZERIw3aNwvjdZXy9VRxo8uNQQ25mCgxMZMq_d6xDBIr5UuQ

[aler9]

Hello, what you need is the ability to use JWKS URLs with self-signed or invalid certificates. In #4514 i've added an option called authJWTJWKSFingerprint that allows to do so. Instructions on how to use it are in the configuration file.