Identity verification failed when trying quick start guide (dial tcp connect: connection refused)

What happened?

I was getting Identity verification failed error when trying out the quick start. I was following the build from source guide, and uses Auth0 as my IDP. Below is the detailed error message:

We tried to verify the incoming user, but failed with the following error: couldn't get json web key: Get "": dial tcp connect: connection refused

What did you expect to happen?

Verification succeeded and getting the expected result from the quick start page.

How’d it happen?

I built the binary from source; installed certs using mkcert and start Pomerium with the following config:

# See detailed configuration settings :

# this is the domain the identity provider will callback after a user authenticates

# certificate settings:
# autocert: true
autocert_use_staging: true

# If you're using mkcert to test Pomerium locally, comment the autocert keys and uncomment
# the keys below, adjusting for your mkcert path:
certificate_file: redacted
certificate_key_file: redacted

# identity provider settings :
idp_provider: auth0
idp_provider_url: redacted
idp_client_id: redacted
idp_client_secret: redacted

# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=

  - from:
      - allow:
            - email:
                is: redacted
    pass_identity_headers: true

I also set up SIGNING_KEY following this guide

Also note that I have no problem calling from browser or through curl.

What’s your environment like?

  • Pomerium version (retrieve with pomerium --version): v0.20.0
  • macOS arm

What’s your config.yaml?

See above

the way works is that it takes incoming assertion header and fetches a signing key from authenticate endpoint ( to verify the authenticity of the passed header. is a hosted application and is not running on your local host, and therefore cannot access your localhost resources.

Thank you Denis! I see, so it’s already routed to the destination. I thought it failed in a previous step. Changed the routing destination to a internal service and it works!

Shall we add some comments to the example config though? The error message can be a bit confusing.

sure, please see Getting the user's identity | Pomerium for more details. verify app is open source.

also a word of caution when building from source is to assemble from release tags, rather then from main.

1 Like