Failed login is not visible in log

I am using ror enterprise with jwt auth. The jwt is being passed in a header from the reverse proxy. I had this working fine, but after some changes it stopped working. The problem now is that I can’t see anything in the logs? Did you stop sending failed logins to the log?

Now I just get redirected to the login page in kiban and nothing is visible in the logs. I need to see the failed jwt login to be able to find out what’s wrong. Now I am not sure if the reverse proxy is adding the header or not, or if there is something else wrong with my config.

Would love to help, but you are not providing enough information :frowning:

The log lines in ROR have a “HDR:” section with the list of headers.

Thanks for the reply. Sorry, was probably a bit unclear when I wrote this post.

Here is what I mean:

  1. I go to in my web-browser and the expected behavior is that I will be logged in automatically since my reverse proxy is supposed to add a header with jwt. However I am beeing sent to the ror-login page instead.
  2. Since the login failed I expect that the elasticsearch log-file will conatain some lines with FORBIDDEN where I can see if the header is missing. However, there are no log-lines from the failed login.

So my question is. When using jwt header for SSO and the user is not automatically logged in, why can I not see this in elasticsearch.log?

I do not have access to the reverse proxy server my self so that is why I wanted to verify that the jwt-header is actually included in the requests. I used tcpdump on the kibana/ror-server and found out that the header was missing. However, it would be easier to see this if I saw some log lines for the requests.

Ideeally I would like to disable the login page completely, and if a user’s sso-attempt fails it should be logged as FORBIDDEN and the user should be redirected to an error page instead of the login page (which is useless for the user anyways)

So this is not really a ROR-issue, but just something that went wrong after some changes to our infrastructure in the test-environment. In this case, I think it would be easier to debug if ROR had the behavior described above.

Thanks :slight_smile:

Oh I got it. Yeah would be cool to have a log line in debug mode to print the path, method, and header names in the incoming request (which are not towards static files, maybe otherwise it’s a lot of garbage log) when in debug mode. Will add.

About the user being redirected to login form when ROR is not able to authenticate, you can configure ReadonlyREST enterprise to have a custom login and/or logout URL.

1 Like