JWKS URL Parsing Fails [v24.0.5]

[matt2102]

JWKS URL Parsing

Updating schema over /admin/endpoint with a dash separated subdomain fails and results in the below error.

{
    "errors": [
        {
            "message": "resolving updateGQLSchema failed because invalid character 'p' after top-level value (Locations: [{Line: 3, Column: 4}])",
            "extensions": {
                "code": "Error"
            }
        }
    ]
}

The following url would work in v23 and migrating to v24.0.5 schema validation threw an error:

# Dgraph.Authorization {"jwkurl": "https://dash-seperated-subdomain-api.example.com/.well-known/jwks"}

To Reproduce

Add a subdomain such as to the schema.graphql file and update the schema over the /admin/schema endpoint.

# Dgraph.Authorization {"jwkurl": "https://dash-seperated-subdomain-api.example.com/.well-known/jwks"}

this behavior is the same when using multiple urls as in

# Dgraph.Authorization {"jwkurls": ["https://dash-seperated-subdomain-api.example.com/.well-known/jwks"]}

[drev74]

This config is invalid, since the jwkurls must pointer to the actual json. Below is a valid example, that works for me:

Dgraph.Authorization {"header":"X-Dgraph-AuthToken","namespace":"https://dgraph.io/jwt/claims","jwkurl":"https://my-provider.com/.well-known/jwks.json","audience":["mycorp","dgraph"],"closedbydefault":true}

[matt2102]

Yes, the endpoint must return valid JSON Web Keys however including the .json file extension at the end is unnecessary.

See Google's implementation of the JWKS url https://www.googleapis.com/oauth2/v3/certs

The problem still remains that a subdomain with too many dashes somehow fails JWK url parsing.