Neon Authorize Troubleshooting
Common issues and solutions when using Neon Authorize
This page covers common errors you might encounter when implementing Row-Level Security (RLS) policies with Neon Authorize and your authentication provider.
This error indicates that Neon couldn't locate the expected JSON Web Key (JWK) based on its key ID (kid
) in the Authorize configuration.
This issue typically occurs when:
-
JWKS URL not configured or incorrect
You did not add the JWKS URL in the Authorize UI, or the configured JWKS URL is not returning the key associated with the
kid
field in your JWT. -
JWT and JWKS mismatch
The
kid
field in your JWT doesn't match any of the keys being returned by your JWKS URL. -
Unsupported role name
The Postgres username used in your connection string is not a role registered for Neon Authorize. Currently, only the roles
anonymous
andauthenticated
are supported. Make sure that the role name in your connection string matches one of these supported roles.
Solution:
- Verify that the JWKS URL is correctly configured in the Authorize UI and that it returns the expected keys.
- Ensure that the
kid
field in your JWT matches at least one key from the JWKS URL. - Check that the role name in your connection string matches either
anonymous
orauthenticated
.
Helpful Links:
This error typically indicates that you haven't yet granted the necessary permissions to the authenticated
and anonymous
roles.
Solution:
Run the following commands to grant permissions:
For existing tables:
For future tables:
note
Neon Authorize prompts you to run these commands when you first set up your authentication provider on the Neon Authorize drawer in the Neon Console. If you're using a different database, you will have to run these commands manually.
Neon Authorize only supports JWTs signed with the ES256
and RS256
algorithms. If the Neon Proxy receives a JWT signed with any other algorithm, it will produce an error.
Solution:
Ensure your JWTs are signed using either the ES256
or RS256
algorithms.