Over the past few weeks i have been working on getting JWT to work, here is what the config to what i have go to today, and what i have learned.
elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ] <-- I tried using Authorization at the begining without any luck. Using jwtheader is what is working for me, technically that is the only header that needs to be whitelisted - but i am giving you what we have got working
type: kerberos # NOT FREE FOR COMMERCIAL USE
If true a lot of kerberos/security related debugging output will be logged to standard out
If true then the realm will be stripped from the user name
All other auth lines are not enabled.
Then i go to jwt.io and build the token - that was the easiest way to test it. On the right I leave the header as it is, and put this into the payload:
“roles”: “testing” <— see note below as this doesn’t get evaluated
For the signature i enter in my key , and tick the box under it ‘secret base64 encoded’. You can also put the time/date that the token should expire in this forma:
For the URL, i your using kibana use the URL https://KIBANA_SERVER:5601/?jwtparam= to just login, if you want to load a dashboard directly (cant see why else you would be using tokens to login unless you were), then this is the URL format:
To get this just go into the Kibana dashboard, click on the share - iframe and copy the url. Remove everything at the front upto and including the ", and everything at the back upto and including the ". Then insert the jwtparam= section between kibana and #/dashboard.
If your using elasticsearch then go to https://ES_SERVER:9200//?Authorization=
You dont need to touch the sg_internal_users.yml file, it took me quite a while to work this out (mainly due to the point i make below). You do however need to map the username you passed to generate the JWT (test123 in my case) to a role in sg_roles_mapping.yml, otherwise you will not see any data as your authenticated - but not authorized.
I mentioned that the roles passed in the token are not being evaluated by JWT, i found this after days of troubleshooting why some usernames would show me data, and others would not. I have posted this separately - so lets hope the team at SG can shed some light as to what is causing this.
Hope this helps, it took me weeks to get to this point, but without knowing the issue with the roles not being passed in the token - we are stuck.
On Tuesday, November 14, 2017 at 1:59:43 AM UTC+11, Search Guard wrote:
look into the logfiles for errors.
most likely your signing_key is not valid (do you use hmac or rsa?)
pls refer also to https://github.com/floragunncom/search-guard-docs/blob/master/jwt.md
Am 12.11.2017 um 19:52 schrieb boulmal...@gmail.com:
- Elasticsearch 5.6.3 with SearchGuard plugin 5-5.6.3-16
- jwt module jar-with-dependencies.jar 5.0.6
I’m trying to use JWT Authentification but i’m receiving 401 unauthorized errors
My configuration in sg_config.yml is
signing_key: "base64 encoded key"
In my request i added Authentication header with the Bearer as mentioned in the official documentation of JSON web tokens.
Is there anything I missed ?
thank you in advance
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ee0a895b-e85d-40d1-8dfd-a1a3714eb94c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.