Forbidden by default when trying to use JWT

Hi.I am trying to implement JWT Auth with Readonlyrest.
My conf is :


    audit_collector: true

    - name: "::PUBLIC SEARCHBOX::"
      hosts: [""]
      type: allow
      kibana_access: rw
      groups: ["default"]

    - name: "JWT Auth"
      type: allow
      groups: ["test"]
      kibana_access: admin
        name: "JWT_Login"
    - name: JWT_Login
      signature_algo: HS256
      signature_key: "justtesting"
      user_claim: username
      header_name: Authorization


    - username: kibana
      auth_key: kibana:kibana
      groups: ["default"]

    - username: test
      auth_key: test:test
      groups: ["test"]

the error i am getting is :
FORBIDDEN by default req={ ID:1295785472-2023744454#41, TYP:NodesInfoRequest, CGR:N/A, USR:test, BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:, DA:, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{authorization=Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0IiwidXNlcm5hbWUiOiJ0ZXN0IiwiaWF0IjoxNTI5MjkxNzk0fQ.M-hqKN6LShXA45TzgIyw8Kq7tpoS-A1JB_stwO23inc, Connection=close, Authorization=<OMITTED>, content-length=0, Host=localhost:9200}, HIS:[::PUBLIC SEARCHBOX::->[groups->false]], [JWT Auth->[groups->false, jwt_auth->true]] }

The token is :

I have followed the docs and I am just trying to do a basic implementation to see if works.
I cannot understand what i am doing wrong.
Thank you very much for your assistance :slight_smile:

Remove this, as you are already authenticating the user via JWT token.

Hi.It worked now! Thank you very much.

1 Like

Hi.Another question.Is there a way to authenticate to elasticsearch itself with JWT instead of kibana ?

I could possibly achieve it with the external HTTP authentication ,to authenticate with JWT in kibana and after that to receive 200 ok and proceed.Is there any other way?
Thank you very much.

ES is able to check the digest of your JWT token in the Authorization header, as you experimented above. No Kibana involved in this flow.

I think it could work, as external authentication will forward the Authorization header. In this case, no need for the JWT settings block in ROR of course, as the authentication is external.

Thank you very much!

1 Like