Hi
Over the past few weeks i have been working on getting JWT to work, here is what the config to what i have go to today, and what i have learned.
in kibana.yml:
elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ] ← I tried using Authorization at the begining without any luck. Using jwtheader is what is working for me, technically that is the only header that needs to be whitelisted - but i am giving you what we have got working
searchguard.basicauth.enabled: false
searchguard.jwt.enabled: true
searchguard.jwt.url_param: jwtparam
searchguard.jwt.header: jwtheader
in sg_config.yml
authc:
kerberos_auth_domain:
enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: true
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
jwt_auth_domain:
enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “”
jwt_header: “jwtheader”
jwt_url_parameter: “Authorization”
roles_key: roles
subject_key: name
authentication_backend:
type: noop
All other auth lines are not enabled.
Then i go to jwt.io and build the token - that was the easiest way to test it. On the right I leave the header as it is, and put this into the payload:
{
“name”: “test123”,
“roles”: “testing” <— see note below as this doesn’t get evaluated
}
For the signature i enter in my key , and tick the box under it ‘secret base64 encoded’. You can also put the time/date that the token should expire in this forma:
“exp”: 1300819380
For the URL, i your using kibana use the URL https://KIBANA_SERVER:5601/?jwtparam= to just login, if you want to load a dashboard directly (cant see why else you would be using tokens to login unless you were), then this is the URL format:
https:/KIBANA_SERVER:5601/app/kibana?jwtparam=#/dashboard/AV7Mz9jx9L52N7SG5J_D?embed=true&_g=(refreshInterval:(display:Off,pause:!f,value:0),…
To get this just go into the Kibana dashboard, click on the share - iframe and copy the url. Remove everything at the front upto and including the ", and everything at the back upto and including the ". Then insert the jwtparam= section between kibana and #/dashboard.
If your using elasticsearch then go to https://ES_SERVER:9200//?Authorization=
You dont need to touch the sg_internal_users.yml file, it took me quite a while to work this out (mainly due to the point i make below). You do however need to map the username you passed to generate the JWT (test123 in my case) to a role in sg_roles_mapping.yml, otherwise you will not see any data as your authenticated - but not authorized.
I mentioned that the roles passed in the token are not being evaluated by JWT, i found this after days of troubleshooting why some usernames would show me data, and others would not. I have posted this separately - so lets hope the team at SG can shed some light as to what is causing this.
Hope this helps, it took me weeks to get to this point, but without knowing the issue with the roles not being passed in the token - we are stuck.
Paul
···
On Tuesday, November 14, 2017 at 1:59:43 AM UTC+11, Search Guard wrote:
look into the logfiles for errors.
most likely your signing_key is not valid (do you use hmac or rsa?)
pls refer also to https://github.com/floragunncom/search-guard-docs/blob/master/jwt.md
Am 12.11.2017 um 19:52 schrieb boulmal...@gmail.com:
Hi,
I’m using
- Elasticsearch 5.6.3 with SearchGuard plugin 5-5.6.3-16
- jwt module jar-with-dependencies.jar 5.0.6
I’m trying to use JWT Authentification but i’m receiving 401 unauthorized errors
My configuration in sg_config.yml is
basic_internal_auth_domain:
enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
…
jwt_auth_domain:
enabled: true
order: 0
http_authenticator:
type: jwt
challenge: true
config:
signing_key: "base64 encoded key"
jwt_header: "Authorization"
jwt_url_parameter: null
subject_key: null
roles_key: null
In my request i added Authentication header with the Bearer as mentioned in the official documentation of JSON web tokens.
Is there anything I missed ?
thank you in advance
–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ee0a895b-e85d-40d1-8dfd-a1a3714eb94c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.