JWT Authentification doesn't work

Hi,

I’m using

I’m trying to use JWT Authentification but i’m receiving 401 unauthorized errors

My configuration in sg_config.yml is

basic_internal_auth_domain:

enabled: true

order: 4

http_authenticator:

type: basic

challenge: true

authentication_backend:

type: intern

jwt_auth_domain:

enabled: true

order: 0

http_authenticator:

type: jwt

challenge: true

config:

signing_key: “base64 encoded key”

jwt_header: “Authorization”

jwt_url_parameter: null

subject_key: null

roles_key: null

In my request i added Authentication header with the Bearer as mentioned in the official documentation of JSON web tokens.

Is there anything I missed ?

thank you in advance

look into the logfiles for errors.
most likely your signing_key is not valid (do you use hmac or rsa?)

pls refer also to https://github.com/floragunncom/search-guard-docs/blob/master/jwt.md

···

Am 12.11.2017 um 19:52 schrieb boulmali.fares@gmail.com:

Hi,
I'm using
- Elasticsearch 5.6.3 with SearchGuard plugin 5-5.6.3-16
- jwt module jar-with-dependencies.jar 5.0.6
I'm trying to use JWT Authentification but i'm receiving 401 unauthorized errors

My configuration in sg_config.yml is

basic_internal_auth_domain:
        enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern

.......

jwt_auth_domain:
  enabled: true
  order: 0
  http_authenticator:
    type: jwt
    challenge: true
    config:
      signing_key: "base64 encoded key"
      jwt_header: "Authorization"
      jwt_url_parameter: null
      subject_key: null
      roles_key: null

In my request i added Authentication header with the Bearer as mentioned in the official documentation of JSON web tokens.

Is there anything I missed ?
thank you in advance

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ee0a895b-e85d-40d1-8dfd-a1a3714eb94c%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Hi

Over the past few weeks i have been working on getting JWT to work, here is what the config to what i have go to today, and what i have learned.

in kibana.yml:

elasticsearch.requestHeadersWhitelist: [ authorization, Authorization, jwtheader, jwtparam ] ← I tried using Authorization at the begining without any luck. Using jwtheader is what is working for me, technically that is the only header that needs to be whitelisted - but i am giving you what we have got working

searchguard.basicauth.enabled: false

searchguard.jwt.enabled: true

searchguard.jwt.url_param: jwtparam

searchguard.jwt.header: jwtheader

in sg_config.yml

authc:

kerberos_auth_domain:

enabled: false

order: 6

http_authenticator:

type: kerberos # NOT FREE FOR COMMERCIAL USE

challenge: true

config:

If true a lot of kerberos/security related debugging output will be logged to standard out

krb_debug: false

If true then the realm will be stripped from the user name

strip_realm_from_principal: true

authentication_backend:

type: noop

basic_internal_auth_domain:

enabled: true

order: 4

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: intern

jwt_auth_domain:

enabled: true

order: 0

http_authenticator:

type: jwt

challenge: false

config:

signing_key: “”

jwt_header: “jwtheader”

jwt_url_parameter: “Authorization”

roles_key: roles

subject_key: name

authentication_backend:

type: noop

All other auth lines are not enabled.

Then i go to jwt.io and build the token - that was the easiest way to test it. On the right I leave the header as it is, and put this into the payload:

{

“name”: “test123”,

“roles”: “testing” <— see note below as this doesn’t get evaluated

}

For the signature i enter in my key , and tick the box under it ‘secret base64 encoded’. You can also put the time/date that the token should expire in this forma:

“exp”: 1300819380

For the URL, i your using kibana use the URL https://KIBANA_SERVER:5601/?jwtparam= to just login, if you want to load a dashboard directly (cant see why else you would be using tokens to login unless you were), then this is the URL format:

https:/KIBANA_SERVER:5601/app/kibana?jwtparam=#/dashboard/AV7Mz9jx9L52N7SG5J_D?embed=true&_g=(refreshInterval:(display:Off,pause:!f,value:0),…

To get this just go into the Kibana dashboard, click on the share - iframe and copy the url. Remove everything at the front upto and including the ", and everything at the back upto and including the ". Then insert the jwtparam= section between kibana and #/dashboard.

If your using elasticsearch then go to https://ES_SERVER:9200//?Authorization=

You dont need to touch the sg_internal_users.yml file, it took me quite a while to work this out (mainly due to the point i make below). You do however need to map the username you passed to generate the JWT (test123 in my case) to a role in sg_roles_mapping.yml, otherwise you will not see any data as your authenticated - but not authorized.

I mentioned that the roles passed in the token are not being evaluated by JWT, i found this after days of troubleshooting why some usernames would show me data, and others would not. I have posted this separately - so lets hope the team at SG can shed some light as to what is causing this.

Hope this helps, it took me weeks to get to this point, but without knowing the issue with the roles not being passed in the token - we are stuck.

Paul

···

On Tuesday, November 14, 2017 at 1:59:43 AM UTC+11, Search Guard wrote:

look into the logfiles for errors.

most likely your signing_key is not valid (do you use hmac or rsa?)

pls refer also to https://github.com/floragunncom/search-guard-docs/blob/master/jwt.md

Am 12.11.2017 um 19:52 schrieb boulmal...@gmail.com:

Hi,
I’m using

  • Elasticsearch 5.6.3 with SearchGuard plugin 5-5.6.3-16
  • jwt module jar-with-dependencies.jar 5.0.6

I’m trying to use JWT Authentification but i’m receiving 401 unauthorized errors

My configuration in sg_config.yml is

basic_internal_auth_domain:
enabled: true

    order: 4
    http_authenticator:
      type: basic
      challenge: true
    authentication_backend:
      type: intern

jwt_auth_domain:

enabled: true

order: 0

http_authenticator:

type: jwt
challenge: true
config:
  signing_key: "base64 encoded key"
  jwt_header: "Authorization"
  jwt_url_parameter: null
  subject_key: null
  roles_key: null

In my request i added Authentication header with the Bearer as mentioned in the official documentation of JSON web tokens.

Is there anything I missed ?

thank you in advance


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ee0a895b-e85d-40d1-8dfd-a1a3714eb94c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Thank you for your response,
yes i use HMAC.

···

Le lundi 13 novembre 2017 15:59:43 UTC+1, Search Guard a écrit :

look into the logfiles for errors.

most likely your signing_key is not valid (do you use hmac or rsa?)

pls refer also to https://github.com/floragunncom/search-guard-docs/blob/master/jwt.md

Am 12.11.2017 um 19:52 schrieb boulmal...@gmail.com:

Hi,
I’m using

  • Elasticsearch 5.6.3 with SearchGuard plugin 5-5.6.3-16
  • jwt module jar-with-dependencies.jar 5.0.6

I’m trying to use JWT Authentification but i’m receiving 401 unauthorized errors

My configuration in sg_config.yml is

basic_internal_auth_domain:
enabled: true

    order: 4
    http_authenticator:
      type: basic
      challenge: true
    authentication_backend:
      type: intern

jwt_auth_domain:

enabled: true

order: 0

http_authenticator:

type: jwt
challenge: true
config:
  signing_key: "base64 encoded key"
  jwt_header: "Authorization"
  jwt_url_parameter: null
  subject_key: null
  roles_key: null

In my request i added Authentication header with the Bearer as mentioned in the official documentation of JSON web tokens.

Is there anything I missed ?

thank you in advance


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ee0a895b-e85d-40d1-8dfd-a1a3714eb94c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Maybe you just have a typo in your post, but to make sure:

"

config:

signing_key: “base64 encoded key”

jwt_header: “Authorization”

jwt_url_parameter: null

subject_key: null

roles_key: null

In my request i added Authentication header with the Bearer as mentioned in the official documentation of JSON web tokens.

"

You write you added an Authentication header in your HTTP request, but in sg_config you configured the header to be Authorization.

jwt_header: “Authorization”

···

On Wednesday, November 15, 2017 at 2:22:46 PM UTC+1, Fbo wrote:

Thank you for your response,
yes i use HMAC.

Le lundi 13 novembre 2017 15:59:43 UTC+1, Search Guard a écrit :

look into the logfiles for errors.

most likely your signing_key is not valid (do you use hmac or rsa?)

pls refer also to https://github.com/floragunncom/search-guard-docs/blob/master/jwt.md

Am 12.11.2017 um 19:52 schrieb boulmal...@gmail.com:

Hi,
I’m using

  • Elasticsearch 5.6.3 with SearchGuard plugin 5-5.6.3-16
  • jwt module jar-with-dependencies.jar 5.0.6

I’m trying to use JWT Authentification but i’m receiving 401 unauthorized errors

My configuration in sg_config.yml is

basic_internal_auth_domain:
enabled: true

    order: 4
    http_authenticator:
      type: basic
      challenge: true
    authentication_backend:
      type: intern

jwt_auth_domain:

enabled: true

order: 0

http_authenticator:

type: jwt
challenge: true
config:
  signing_key: "base64 encoded key"
  jwt_header: "Authorization"
  jwt_url_parameter: null
  subject_key: null
  roles_key: null

In my request i added Authentication header with the Bearer as mentioned in the official documentation of JSON web tokens.

Is there anything I missed ?

thank you in advance


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ee0a895b-e85d-40d1-8dfd-a1a3714eb94c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.