Identity verification failed when trying quick start guide (dial tcp 127.0.0.1:443: connect: connection refused)

wjf3121 · November 24, 2022, 10:47am

What happened?

I was getting Identity verification failed error when trying out the quick start. I was following the build from source guide, and uses Auth0 as my IDP. Below is the detailed error message:

We tried to verify the incoming user, but failed with the following error: couldn't get json web key: Get "https://authenticate.localhost.pomerium.io/.well-known/pomerium/jwks.json": dial tcp 127.0.0.1:443: connect: connection refused

What did you expect to happen?

Verification succeeded and getting the expected result from the quick start page.

How’d it happen?

I built the binary from source; installed certs using mkcert and start Pomerium with the following config:

# See detailed configuration settings : https://www.pomerium.com/docs/reference/

# this is the domain the identity provider will callback after a user authenticates
authenticate_service_url: https://authenticate.localhost.pomerium.io

# certificate settings:  https://www.pomerium.com/docs/reference/certificates.html
# autocert: true
# REMOVE FOR PRODUCTION
autocert_use_staging: true

# If you're using mkcert to test Pomerium locally, comment the autocert keys and uncomment
# the keys below, adjusting for your mkcert path:
certificate_file: redacted
certificate_key_file: redacted

# identity provider settings : https://www.pomerium.com/docs/identity-providers.html
idp_provider: auth0
idp_provider_url: redacted
idp_client_id: redacted
idp_client_secret: redacted

# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=

# https://pomerium.io/reference/#routes
routes:
  - from: https://verify.localhost.pomerium.io
    to: https://verify.pomerium.com
    policy:
      - allow:
          or:
            - email:
                is: redacted
    pass_identity_headers: true

I also set up SIGNING_KEY following this guide

Also note that I have no problem callinghttps://authenticate.localhost.pomerium.io/.well-known/pomerium/jwks.json from browser or through curl.

What’s your environment like?

Pomerium version (retrieve with pomerium --version): v0.20.0
macOS arm

What’s your config.yaml?

See above

denis · November 24, 2022, 3:38pm

the way verify.pomerium.com works is that it takes incoming assertion header and fetches a signing key from authenticate endpoint (https://authenticate.localhost.pomerium.io/.well-known/pomerium/jwks.json) to verify the authenticity of the passed header.

verify.pomerium.com is a hosted application and is not running on your local host, and therefore cannot access your localhost resources.

wjf3121 · November 24, 2022, 3:47pm

Thank you Denis! I see, so it’s already routed to the destination. I thought it failed in a previous step. Changed the routing destination to a internal service and it works!

Shall we add some comments to the example config though? The error message can be a bit confusing.

denis · November 24, 2022, 3:57pm

sure, please see Getting the user's identity | Pomerium for more details. verify app is open source.

also a word of caution when building from source is to assemble from release tags, rather then from main.

Topic		Replies	Views
Using Keycloak as an identity provider with Pomerium Support idp	0	397	December 27, 2021
Issue with device identity Support	6	289	April 28, 2022
Use downstream identity provider's token directly (JWT Forwarding) Support idp	1	319	November 1, 2021
Understanding the process of webauthn assertions and their responses Support	1	362	May 2, 2023
Link a service account to a user from Keycloak idp Support idp	1	420	August 10, 2022