JWT invalid even when actually valid

ES Information
{
“name” : “elasticsearch”,
“cluster_name” : “searchguard_demo”,
“cluster_uuid” : “YoFc8ZcMRquVm4XZ6y_SYQ”,
“version” : {
“number” : “6.2.4”,
“build_hash” : “ccec39f”,
“build_date” : “2018-04-12T20:37:28.497551Z”,
“build_snapshot” : false,
“lucene_version” : “7.2.1”,
“minimum_wire_compatibility_version” : “5.6.0”,
“minimum_index_compatibility_version” : “5.0.0”
},
“tagline” : “You Know, for Search”
}

``

From ES Debug Logs:

[2018-05-03T20:29:23,659][DEBUG][c.f.s.s.ReflectionHelper ] Loaded module Module [type=JWT_AUTHENTICATION_BACKEND, implementing class=com.floragunn.dlic.auth.http.jwt.HTTPJwtAuthenticator]
[2018-05-03T20:29:23,660][DEBUG][c.f.s.s.ReflectionHelper ] Loaded module Module [type=INTERNAL_USERS_AUTHENTICATION_BACKEND, implementing class=com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend]
[2018-05-03T20:29:23,660][DEBUG][c.f.s.s.ReflectionHelper ] Loaded module Module [type=HTTP_BASIC_AUTHENTICATOR, implementing class=com.floragunn.searchguard.http.HTTPBasicAuthenticator]
[2018-05-03T20:29:23,660][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0
[2018-05-03T20:29:23,662][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-04-27, expiryDate=2018-06-27, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-04-27, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=54, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@784ba8e, getMsgs()=, getExpiresInDays()=54, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]

``

When I make a request to Search-Guard:

curl -k -H “Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImpvaG5kb2UiLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3M30.uwMCHhodsEOUAQ9wbaAuO7Un7YvcDc-D-JAPS0wjSx0” https://localhost:9200

Unauthorized

``

and I see this error is ES logs:

[2018-05-03T20:35:27,308][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from jwt http authenticator
[2018-05-03T20:35:27,317][DEBUG][c.f.d.a.h.j.HTTPJwtAuthenticator] Invalid or expired JWT token.
io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.


[2018-05-03T20:35:27,323][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-05-03T20:35:27,323][WARN ][c.f.s.h.HTTPBasicAuthenticator] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’

``

My sg_config looks like this and I have run sgadmin after updating signing_key:

basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: “x-proxy-user”
roles_header: “x-proxy-roles”
authentication_backend:
type: noop
jwt_auth_domain**:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: “dHJ5LXRoaXMtc2hpdA==”
jwt_header: “Authorization”
jwt_url_parameter: null
roles_key: null
subject_key: null
authentication_backend:
type:** ** noop**
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:

``

you need to check the "secret base64 encoded" checkbox on jwt.io or you enter your plaintext secret (try-this-shit)

···

Am 03.05.2018 um 22:57 schrieb .mni <gsaxam@gmail.com>:

ES Information
{
  "name" : "elasticsearch",
  "cluster_name" : "searchguard_demo",
  "cluster_uuid" : "YoFc8ZcMRquVm4XZ6y_SYQ",
  "version" : {
    "number" : "6.2.4",
    "build_hash" : "ccec39f",
    "build_date" : "2018-04-12T20:37:28.497551Z",
    "build_snapshot" : false,
    "lucene_version" : "7.2.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

From ES Debug Logs:

[2018-05-03T20:29:23,659][DEBUG][c.f.s.s.ReflectionHelper ] Loaded module Module [type=JWT_AUTHENTICATION_BACKEND, implementing class=com.floragunn.dlic.auth.http.jwt.HTTPJwtAuthenticator]
[2018-05-03T20:29:23,660][DEBUG][c.f.s.s.ReflectionHelper ] Loaded module Module [type=INTERNAL_USERS_AUTHENTICATION_BACKEND, implementing class=com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend]
[2018-05-03T20:29:23,660][DEBUG][c.f.s.s.ReflectionHelper ] Loaded module Module [type=HTTP_BASIC_AUTHENTICATOR, implementing class=com.floragunn.searchguard.http.HTTPBasicAuthenticator]
[2018-05-03T20:29:23,660][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0
[2018-05-03T20:29:23,662][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Info: SearchGuardLicense [uid=00000000-0000-0000-0000-000000000000, type=TRIAL, issueDate=2018-04-27, expiryDate=2018-06-27, issuedTo=The world, issuer=floragunn GmbH, startDate=2018-04-27, majorVersion=6, clusterName=*, allowedNodeCount=2147483647, msgs=, expiresInDays=54, isExpired=false, valid=true, action=, prodUsage=Yes, one cluster with all commercial features and unlimited nodes per cluster., clusterService=org.elasticsearch.cluster.service.ClusterService@784ba8e, getMsgs()=, getExpiresInDays()=54, isExpired()=false, isValid()=true, getAction()=, getProdUsage()=Yes, one cluster with all commercial features and unlimited nodes per cluster.]

When I make a request to Search-Guard:

curl -k -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImpvaG5kb2UiLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3M30.uwMCHhodsEOUAQ9wbaAuO7Un7YvcDc-D-JAPS0wjSx0" https://localhost:9200

Unauthorized

and I see this error is ES logs:

[2018-05-03T20:35:27,308][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from jwt http authenticator
[2018-05-03T20:35:27,317][DEBUG][c.f.d.a.h.j.HTTPJwtAuthenticator] Invalid or expired JWT token.
io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
......
......
[2018-05-03T20:35:27,323][DEBUG][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator
[2018-05-03T20:35:27,323][WARN ][c.f.s.h.HTTPBasicAuthenticator] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

My sg_config looks like this and I have run sgadmin after updating signing_key:

basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      proxy_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 3
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      jwt_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "dHJ5LXRoaXMtc2hpdA=="
            jwt_header: "Authorization"
            jwt_url_parameter: null
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop
      clientcert_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 2
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop
      ldap:

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/3f534cc4-e3cc-4972-81d2-cb9d0881e57c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks! Could you please give me a payload example to feed into jwt.io so that the token can login using admin:admin ?