JWT clarification

Hi

Can i get some clarification on JWT as we are considering using Kibana/SG (using JWT) for our web app. I have looked at the documentation

I can see there are sample configuration for the SG configuration, but i am looking for clarification on the payload.

I have done some research on JWT - and i understand the concept - but am struggling to put that concept into the SG world.

If we are going to have 20 users, and 10 roles (for example), do we need to add the users to the SG internal DB? Or do we just add the roles into the internal DB and have the role passed in the payload?

Also which fields are required in the payload?

Thanks

JWT tokens are self-contained, they usually carry the user name and the user’s roles, amongst other, self-defined claims. Thus, for JWT authentication, you do not need to the internal user database at all. The internal user database is only useful if you do not have any other means of authentication/authorization.

The concept is really simple:

The JWT token contains user information and role information in JSON format, as the name implies.

First, tell SG where to find this information in the JWT by setting the following configuration keys in sg_config.yml:

      subject_key: <key for the user name / subject>
roles_key: <key for the user's roles>

The simply map the user name, the roles, or both in sg_roles_mapping according to your needs. This will map the JWT to one or more SG roles where you can then define the respective access permissions.

···

On Monday, October 16, 2017 at 11:21:28 AM UTC+2, Paul Azad wrote:

Hi

Can i get some clarification on JWT as we are considering using Kibana/SG (using JWT) for our web app. I have looked at the documentation

I can see there are sample configuration for the SG configuration, but i am looking for clarification on the payload.

I have done some research on JWT - and i understand the concept - but am struggling to put that concept into the SG world.

If we are going to have 20 users, and 10 roles (for example), do we need to add the users to the SG internal DB? Or do we just add the roles into the internal DB and have the role passed in the payload?

Also which fields are required in the payload?

Thanks

Ho Jochen

Thanks for the reply. Sorry but i am still not clear. What is the minimum lines we need in the JWT payload? From my understanding, and looking at your wiki its exp, and roles:

  {
"exp": 1300819380,
"roles": "admin"
}

Is this correct?

···

On Monday, October 16, 2017 at 8:21:28 PM UTC+11, Paul Azad wrote:

Hi

Can i get some clarification on JWT as we are considering using Kibana/SG (using JWT) for our web app. I have looked at the documentation

I can see there are sample configuration for the SG configuration, but i am looking for clarification on the payload.

I have done some research on JWT - and i understand the concept - but am struggling to put that concept into the SG world.

If we are going to have 20 users, and 10 roles (for example), do we need to add the users to the SG internal DB? Or do we just add the roles into the internal DB and have the role passed in the payload?

Also which fields are required in the payload?

Thanks

The absolute bare minimum information the token has to contain is the username. How this username field / claim is called in the token is configurable in the JWT configuration, example:

Token:

{
“username” : “jdoe”
}

``

Config:

jwt_auth_domain:

http_authenticator:
type: jwt

config:
signing_key: “base64 encoded HMAC key or public RSA/ECDSA pem key”
jwt_header: “Authorization”
subject_key: “username”

``

You can then map this username to SG roles.

···

On Friday, October 20, 2017 at 5:25:49 AM UTC+2, Paul Azad wrote:

Ho Jochen

Thanks for the reply. Sorry but i am still not clear. What is the minimum lines we need in the JWT payload? From my understanding, and looking at your wiki its exp, and roles:

  {
"exp": 1300819380,
"roles": "admin"
}

Is this correct?

On Monday, October 16, 2017 at 8:21:28 PM UTC+11, Paul Azad wrote:

Hi

Can i get some clarification on JWT as we are considering using Kibana/SG (using JWT) for our web app. I have looked at the documentation

I can see there are sample configuration for the SG configuration, but i am looking for clarification on the payload.

I have done some research on JWT - and i understand the concept - but am struggling to put that concept into the SG world.

If we are going to have 20 users, and 10 roles (for example), do we need to add the users to the SG internal DB? Or do we just add the roles into the internal DB and have the role passed in the payload?

Also which fields are required in the payload?

Thanks

Hi

But that would mean we need to map the username to a role in the sg_roles_mapping, right?

If we dont want to update the sg_roles_mapping.yml file, we need to also have the role in the token, right?

···

On Monday, October 16, 2017 at 8:21:28 PM UTC+11, Paul Azad wrote:

Hi

Can i get some clarification on JWT as we are considering using Kibana/SG (using JWT) for our web app. I have looked at the documentation

I can see there are sample configuration for the SG configuration, but i am looking for clarification on the payload.

I have done some research on JWT - and i understand the concept - but am struggling to put that concept into the SG world.

If we are going to have 20 users, and 10 roles (for example), do we need to add the users to the SG internal DB? Or do we just add the roles into the internal DB and have the role passed in the payload?

Also which fields are required in the payload?

Thanks

Yes. Please refer also to the Search Guard Main Concepts / Authentication Flow chapter:

Your question was “What is the minimum lines we need in the JWT payload?”, and that’s username only.

If you want to work with roles to make the mapping easier, then you also need to add one or more roles in the JWT "role claim. Then, simply use this / these role name(s) for the mapping. That way sg_roles_mapping.yml can stay untouched.

···

On Saturday, October 21, 2017 at 1:29:59 PM UTC+2, Paul Azad wrote:

Hi

But that would mean we need to map the username to a role in the sg_roles_mapping, right?

If we dont want to update the sg_roles_mapping.yml file, we need to also have the role in the token, right?

On Monday, October 16, 2017 at 8:21:28 PM UTC+11, Paul Azad wrote:

Hi

Can i get some clarification on JWT as we are considering using Kibana/SG (using JWT) for our web app. I have looked at the documentation

I can see there are sample configuration for the SG configuration, but i am looking for clarification on the payload.

I have done some research on JWT - and i understand the concept - but am struggling to put that concept into the SG world.

If we are going to have 20 users, and 10 roles (for example), do we need to add the users to the SG internal DB? Or do we just add the roles into the internal DB and have the role passed in the payload?

Also which fields are required in the payload?

Thanks

Hi

Great, i hadn't come across that doc - but makes more sense now.

thanks