JWT token in Searchguard

Hi ,

I am trying to authorize a searchguard by JWT token . I am getting a unknown kid error.

sg_config.xml :

jwt_auth_domain:

http_enabled: true

transport_enabled: false

order: 2

http_authenticator:

type: jwt

challenge: false

config:

jwt_header: “Authorization”

roles_key: “roles”

subject_key: “preferred_username”

signing_key: |-

-----BEGIN PUBLIC KEY-----

MIICpzCCAY8CBgFpTiBqCzANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxrZXJiZXJvcy1jbGkwHhcNMTkwMzA1MTM1MDQxWhcNMjkwMzA1MTM1MjIxWjAXMRUwEwYDVQQDDAxrZXJiZXJvcy1jbGkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbTGqSjBEhYXLJJOtbeb19udAM473zEcv3DukKU7RBUng+pibYTAFqPwqCqR79t1UlE9J4V7yd87OMgQ8TuEfWUO1o1RgW/E0UzDictYZbCsf2sfWD+CBoTJ9HbwDKnrZrKcQYhqjZXiYdQg+Scb9/otpvMr3p/OAZYqIWJZBPfvD6+jY1RPzhHU6y/HXL02LAzxc+r0W6W9W/eulyOa9HySqNUmwWYPpCN5gkk7WDXCIPhi2wLxQzlOYxnh1P5PHNCThmVNCHRIGEMGe+D/tKOGbalArd+AWMrmOmFVQMGD50KkI9HyOWsFHs8CkgvSEAKeoYuQyIPw3BlrmQdCShAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFeRBeknYjxQg1xggisyHFqJYISOSeJY1R78qCF60fDDMAXdtXwr938BlGsG5bPx0edlJ4gIYHB9JrpQpdka22notKFx92Q6m/KLL+926oL8O7WLw3wTdnMJJYTwQB3pYw6S3i0E3Y16k7NpVp90/ui/HhMcQRYpqGR2dOU70XWcrXMShk01DNAA//eSCFOBTw8WCN5ZraJMqbh6Umd52eyD/Cfo68bGE5U5waEWBzjJqeKr10+7jNxlVFnFZM/D5Y3rymP5pqWjI11TjTscXK+EigIHURz9c+qo+tM1t6YHu9B2+pqjlD5tvBMVnxWrXJQUqdeABkklsYLqndEqzqA=

-----END PUBLIC KEY-----

authentication_backend:

type: noop

My Logs generated in elasticsearch :

[2019-03-12T07:18:44,157][INFO ][c.f.d.a.h.j.AbstractHTTPJwtAuthenticator] Extracting JWT token from eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJyOHNIamYyTGdWYkp2T3ZjeXlPV2pZNG5WdkoxN1g1NlpxTlZCZjFQV1BRIn0.eyJqdGkiOiJmMmQ3ZmVhYy1iNmJhLTQ0MzYtOGY3My01OWY1NWRmMWJmZmEiLCJleHAiOjE1NTIwNTk5NzgsIm5iZiI6MCwiaWF0IjoxNTUyMDQwMjU4LCJpc3MiOiJodHRwOi8vdWJ1bnR1Mjo4MDkwL2F1dGgvcmVhbG1zL2tlcmJlcm9zIiwiYXVkIjoia2VyYmVyb3MtY2xpIiwic3ViIjoiYWViNzM5ODgtMjEwMC00N2NjLWI2YmEtNTZjNzE5YTU2YzRkIiwidHlwIjoiSUQiLCJhenAiOiJrZXJiZXJvcy1jbGkiLCJub25jZSI6ImszMTlvdzcxYVlnSDJhbUZzVVpUN0VQa2dQZ3RieE5aUVlNTnREdVMiLCJhdXRoX3RpbWUiOjE1NTIwMzExNzgsInNlc3Npb25fc3RhdGUiOiJlMmVlN2U4MC00ZTU3LTQzMzgtOTc5Ny1hMjQyMGRkZmRiYTEiLCJhdF9oYXNoIjoiSzlhNmplNDhYenNrZEhtNmVZdGhFQSIsImFjciI6IjAiLCJzX2hhc2giOiJaUUw2Sk5KWDhHY1kwRnl4aVZ1NVJnIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJyb2xlcyI6WyJhZG1pbiJdLCJuYW1lIjoiQXNpZiBNb2hhbW1lZCBNb2hhbW1lZCIsInByZWZlcnJlZF91c2VybmFtZSI6ImFzaWYubW9oYW1tZWQiLCJnaXZlbl9uYW1lIjoiQXNpZiBNb2hhbW1lZCIsImZhbWlseV9uYW1lIjoiTW9oYW1tZWQiLCJlbWFpbCI6ImFzaWYubW9oYW1tZWRAY2lyY3VsYXJlZGdlLmNvbSJ9.OkpktNV_o_tcW2ABoZbGpWegj_yqBWakk6gL7MghxsvqDRsUx4Z3R9p2F9C8cjNeX0WtM4b_p6c9DyABqGk-cccKCrUCMqJixgQQqUZT7Z-jTpoS6F9AQTq9X-Ok9eD3WvE0tYzZNTtZf_XMOlVD2xRq0gOQF1z8uUGq_f0gr_BYtUxazVA0iV_a_noOE8L5rBaQnKBfN0Hhht-SYgD5Weu3fxy8nRaDp8ZZlsr2LAA8FKA8HF6viv4ddJOg7M6M33BgdDSALCQ2B9CrjdVvmeqErgDO_nx1l7zhLLr0Owr35biizguPx-r9e81wQ8K_qySfwONdYALcrynzwVBVZA failed

com.floragunn.dlic.auth.http.jwt.keybyoidc.BadCredentialsException: Unknown kid r8sHjf2LgVbJvOvcyyOWjY4nVvJ17X56ZqNVBf1PWPQ

There seems to be a mismatch between the configuration you send and the log messages. You configured:

type: jwt

``

which is correct if you just send JWTs and do not use OpenID. The error message, however, involves classes from the OpenID authenticator, which would be configured by using:

type: openid

``

Can you attach the complete sg_config.yml please? Do you use any OpenID provider / IdP like Okta, Keycloak or the like?