Entra ID: common issues

If you have not read the Entra ID docs at our launchpad-docs repo, please read that before reading this article.

Below are some common sources of errors with the files used in setting up the Azure AD integration with Stardog Launchpad.

jwt.yaml

• Including the signer key
  • Our OAuth documentation includes a signer key, but you do not need it when using Azure AD with Launchpad.
• keyUrl not being resolvable
  • Ensure the jwks.json file that your keyUrl points to is resolvable by Stardog. If it is not resolvable, your stardog.log file will contain the error message Failed verify the JWT: Failed to get key with kid [key ID].
    • This message will only show up if you have the following entry in your log4j2.xml file, which can be found in your STARDOG_HOME directory:

      • <Logger name="com.complexible.stardog.security.token" level="DEBUG" additivity="false">
            <AppenderRef ref="stardogAppender"/>
        </Logger>

    • If you see this error message, you have two options:

      • Set K8S_DEPLOYMENT=true in your Launchpad .env file.

      • Try putting your jwks.json file directly in your STARDOG_HOME directory. Then edit your jwt.yaml file such that the keyUrl entry is as follows:
        

        • keyUrl: file:///path/to/stardog_home/jwks.json

        • Note this method is insecure and is not intended for production.

    • If you're using Kubernetes, you'll edit your values.yaml file instead of your jwt.yaml file. You can see an example of which line to edit in our helm charts here.

.env

• Ensure the certificate bundle that STARDOG_SERVER_CERT_PATHpoints to has the Stardog server's certificate and all of the certificates in the chain to the root certificate.
  • read more about STARDOG_SERVER_CERT_PATH here
• Ensure /jwk (the value of JWK_LOCATION) is properly mounted on your Docker container.