JWT Token authentication getting forbidden issue


(Mohankumar) #1

Hi Team,

I am facing some forbidden access while using jwt token, I knew the user not allowed to access, help me to address this issue.

My JWT Token is :–

eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1NDIwMDgzOTEsImlzcyI6ImNvbS5zZWN1cmVpcSIsInVzZXJfY2xhaW0iOiJtb2hhbiIsImV4cCI6MTU0MjA2ODM5MX0.qAp7roV43hTgwQQSIVs5oX_mdL1x_9wQCVOvo1ltDjl9kTbREGqp-glVCoZNmfgRvHbSKQBzeRVB5hVjlRVpbw

decoded value -

{“alg”:“HS512”}{“iat”:1542008391,“iss”:“com.abc”,“user_claim”:“mohan”,“exp”:1542068391}*^780AVh^[email protected]%Ne8DDA U
Mv)�syAcio

and my readonlyrest.yml as follows

readonlyrest:
# IMPORTANT FOR LOGIN/LOGOUT TO WORK WITH ROR PLUGIN FOR KIBANA
prompt_for_basic_auth: false

access_control_rules:

#####################################################################################
# These credentials have no limitations, and shall be used only by the Kibana deamon.
#####################################################################################
- name: "::KIBANA-SRV::"
  auth_key: kibana:kibana
  verbosity: error

- name: Valid JWT token with a viewer role
  kibana_access: ro
  jwt_auth:
    name: "jwt_provider_1"
    roles: ["viewer"]
  
    
- name: Valid JWT token with a writer role
  kibana_access: rw
  jwt_auth:
    name: "jwt_provider_1"
    roles: ["writer"]
    
jwt: 
- name: jwt_provider_1
  signature_algo: HS512
  signature_key: "eyJzdWIiOiIxMjM0NTY3ODkiLCJpYXQiOjE1Mzg0Nzk5NDIsImlzcyI6ImNvbS5zZWN1cmVpcSIsImV4cCI6MTUzODQ4MDAwMn0"
  user_claim: user
  roles_claim: resource_access.client-app.roles # JSON-path style
  header_name: Authorization

I am getting the following exception the continuously elasticsearch.log

[2018-11-12T07:44:12,024][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1310574987-1181151371#41913, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [Valid JWT token with a viewer role->[jwt_auth->false]], [Valid JWT token with a writer role->[jwt_auth->false]] }

[2018-11-12T07:44:12,155][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1466361979-730537051#41916, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [Valid JWT token with a viewer role->[jwt_auth->false]], [Valid JWT token with a writer role->[jwt_auth->false]] }

[2018-11-12T07:44:12,285][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:692634975-941180594#41917, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [Valid JWT token with a viewer role->[jwt_auth->false]], [Valid JWT token with a writer role->[jwt_auth->false]] }


(Mohankumar) #2

Also please mention the available key factories for jwt authentication


(Simone Scarduzio) #3

Hi @mohankumar,

We updated the JWT library version and the minimum key length now is 256, please check with your ES logs, there should be an exception being thrown that mentions exactly this. I should change the example in the documentation btw.

EDIT changed the docs!

EDIT AFAIK we support all the algorithms except elliptic curve at the moment (requires some fix in our code).


(Mohankumar) #4

Hi Simone,

I have changed my key to 256 chars as follows

jwt:
- name: jwt_provider_1
signature_algo: HS512
signature_key: “eyJzdWIiOiIxMjM0NTY3ODkiLCJpYXQiOjE1Mzg0Nzk5NDIsImlzcyI6ImNvbS5zZWN1cmVpcSIsImV4cCI6MTUzODQ4MDAwMn0eyJzdWIiOiIxMjM0NTY3ODkiLCJpYXQiOjE1Mzg0Nzk5NDIsImlzcyI6ImNvbS5zZWN1cmVpcSIsImV4cCI6MTUzODQ4MDAwMn0eyJzdWIiOiIxMjM0NTY3ODkiLCJpYXQiOjE1Mzg0Nzk5NDIsIasfmlzcy”
user_claim: user
roles_claim: resource_access.client-app.roles # JSON-path style
header_name: Authorization

[2018-11-12T11:06:09,777][INFO ][t.b.r.e.IndexLevelActionFilter] [10.2.1.25] Settings observer refreshing…
[2018-11-12T11:06:09,787][INFO ][t.b.r.a.ACL ] ADDING BLOCK: { name: ‘::KIBANA-SRV::’, policy: ALLOW, rules: [auth_key]}
[2018-11-12T11:06:09,787][ERROR][t.b.r.a.b.r.i.JwtAuthSyncRule] HS512 KeyFactory not available
[2018-11-12T11:06:09,787][INFO ][t.b.r.a.ACL ] ADDING BLOCK: { name: ‘Valid JWT token with a viewer role’, policy: ALLOW, rules: [kibana_access, jwt_auth]}
[2018-11-12T11:06:09,788][INFO ][t.b.r.e.IndexLevelActionFilter] [10.2.1.25] Configuration reloaded - ReadonlyREST enabled
[2018-11-12T11:06:10,076][INFO ][t.b.r.e.SettingsObservableImpl] all ok, written settings

I am getting the following error [2018-11-12T11:06:09,787][ERROR][t.b.r.a.b.r.i.JwtAuthSyncRule] HS512 KeyFactory not available

Is there anything i am missing to add


(Mohankumar) #5

Hi simone,

In addition to that while debugging i am getting the following, could you help me to figure out this.

[2018-11-12T14:55:03,076][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1163715800-1484612747#3323, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:10.2.1.25, IDX:<N/A>, MET:GET, PTH:/readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJleUp6ZFdJaU9pSXhNak0wTlRZM09Ea2lMQ0pwWVhRaU9qRTFNemcwTnprNU5ESXNJbWx6Y3lJNkltTnZiUzV6WldOMWNtVnBjU0lzSW1WNGNDSTZNVFV6T0RRNE1EQXdNbjAiLCJpYXQiOjE1NDIwMDcyNjUsImlzcyI6ImNvbS5zZWN1cmVpcSIsInVzZXJfY2xhaW0iOiJraWJhbmEiLCJleHAiOjE1NDIwNjcyNjR9.F9KubbSxbtuWmi3hhW00NjnXpujKnI6kg5t4edyr5LdEcs0ctHOge5pynu2bd0RtOuWFCCngfQTdt8yhXO-qw, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [Valid JWT token with a viewer role->[jwt_auth->false]] }
[2018-11-12T14:55:03,159][DEBUG][t.b.r.a.ACL ] checking request:1319830526-1198912710#3324
[2018-11-12T14:55:03,159][DEBUG][t.b.r.a.b.r.i.AuthKeySyncRule] Basic auth header or auth key not present!
[2018-11-12T14:55:03,159][DEBUG][t.b.r.a.b.Block ] [::KIBANA-SRV::] the request matches no rules in this block: { ID:1319830526-1198912710#3324, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:10.2.1.25, IDX:<N/A>, MET:GET, PTH:/readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJleUp6ZFdJaU9pSXhNak0wTlRZM09Ea2lMQ0pwWVhRaU9qRTFNemcwTnprNU5ESXNJbWx6Y3lJNkltTnZiUzV6WldOMWNtVnBjU0lzSW1WNGNDSTZNVFV6T0RRNE1EQXdNbjAiLCJpYXQiOjE1NDIwMDcyNjUsImlzcyI6ImNvbS5zZWN1cmVpcSIsInVzZXJfY2xhaW0iOiJraWJhbmEiLCJleHAiOjE1NDIwNjcyNjR9.F9KubbSxbtuWmi3hhW00NjnXpujKnI6kg5t4edyr5LdEcs0ctHOge5pynu2bd0RtOuWFCCngfQTdt8yhXO-qw, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]] }
[2018-11-12T14:55:03,161][DEBUG][t.b.r.a.b.Block ] [Valid JWT token with a viewer role] the request matches no rules in this block: { ID:1319830526-1198912710#3324, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:10.2.1.25, IDX:<N/A>, MET:GET, PTH:/readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJleUp6ZFdJaU9pSXhNak0wTlRZM09Ea2lMQ0pwWVhRaU9qRTFNemcwTnprNU5ESXNJbWx6Y3lJNkltTnZiUzV6WldOMWNtVnBjU0lzSW1WNGNDSTZNVFV6T0RRNE1EQXdNbjAiLCJpYXQiOjE1NDIwMDcyNjUsImlzcyI6ImNvbS5zZWN1cmVpcSIsInVzZXJfY2xhaW0iOiJraWJhbmEiLCJleHAiOjE1NDIwNjcyNjR9.F9KubbSxbtuWmi3hhW00NjnXpujKnI6kg5t4edyr5LdEcs0ctHOge5pynu2bd0RtOuWFCCngfQTdt8yhXO-qw, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [Valid JWT token with a viewer role->[jwt_auth->false]] }
[2018-11-12T14:55:03,161][DEBUG][r.suppressed ] path: /_readonlyrest/metadata/current_user, params: {}
tech.beshu.ror.es.IndexLevelActionFilter$1$1: forbidden
at tech.beshu.ror.es.IndexLevelActionFilter$1.onForbidden(IndexLevelActionFilter.java:163) ~[?:?]
at tech.beshu.ror.acl.ACL.lambda$check$4(ACL.java:208) ~[?:?]
at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) ~[?:1.8.0_131]
at java.util.concurrent.CompletableFuture.uniApplyStage(CompletableFuture.java:614) ~[?:1.8.0_131]
at java.util.concurrent.CompletableFuture.thenApply(CompletableFuture.java:1983) ~[?:1.8.0_131]
at tech.beshu.ror.acl.ACL.check(ACL.java:203) ~[?:?]


(Mohankumar) #6

Hi Simone ,

I have tried all the symmetric key algorithms,

[2018-11-12T17:48:01,841][ERROR][t.b.r.a.b.r.i.JwtAuthSyncRule] HS256 KeyFactory not available
[2018-11-12T17:48:01,841][ERROR][t.b.r.a.b.r.i.JwtAuthSyncRule] HS512 KeyFactory not available

I am getting the above exception, Is i missed anything to add


(Mohankumar) #7

I have worked with Assymetric ket with RSA, i am getting the following exception in debug mode

[2018-11-12T18:39:50,503][DEBUG][r.suppressed ] path: /_readonlyrest/metadata/current_user, params: {}
tech.beshu.ror.es.IndexLevelActionFilter$1$1: forbidden
at tech.beshu.ror.es.IndexLevelActionFilter$1.onForbidden(IndexLevelActionFilter.java:163) ~[?:?]
at tech.beshu.ror.acl.ACL.lambda$check$4(ACL.java:208) ~[?:?]
at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) ~[?:1.8.0_131]
at java.util.concurrent.CompletableFuture.uniApplyStage(CompletableFuture.java:614) ~[?:1.8.0_131]
at java.util.concurrent.CompletableFuture.thenApply(CompletableFuture.java:1983) ~[?:1.8.0_131]
at tech.beshu.ror.acl.ACL.check(ACL.java:203) ~[?:?]
at tech.beshu.ror.es.IndexLevelActionFilter.handleRequest(IndexLevelActionFilter.java:158) ~[?:?]
at tech.beshu.ror.es.IndexLevelActionFilter.lambda$apply$1(IndexLevelActionFilter.java:134) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
at tech.beshu.ror.es.IndexLevelActionFilter.apply(IndexLevelActionFilter.java:130) ~[?:?]
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:139) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:81) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:87) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:76) ~[elasticsearch-6.3.0.jar:6.3.0]

Please suggest


(Simone Scarduzio) #8

Hi @mohankumar, in the JWT tests we run successfully with a HS256 JWT without specifying any algorithm.

i.e. simply like this:

jwt:
 - name: test-jwt
   signature_key: ".....your-key...."

(Simone Scarduzio) #9

Hi @mohankumar, the new 1.16.29 is out with support to the latest Kibana/ES 6.4.3, and revisited JWT signature check.

Also I updated the documentation, please have a look at the new section describing algorithms


(Mohankumar) #10

Thanks Simone, will try and get back you soon


(Mohankumar) #11

Hi Simone, JWT auth working perfectly now ,:slight_smile:

I have used the following to generate token, if anyone need please refer

Jwts.builder()
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512,TextCodec.BASE64.encode(“your_key”))
.setIssuedAt(new Date(System.currentTimeMillis()))
.setIssuer("")
.claim(“user”,“bob”)
.claim(“roles”,“writer”)
.compact();


(Simone Scarduzio) #12

Brilliant, we are using the same library too, haha!


(Mohankumar) #13

Hi Simone,

Facing a issue while integrating dahsboards, not sure issue with ROR, But the thing when i am trying to integrate using iframe with other applications,

Without ROR if i am directly integrating with iframe it’s working, But when tried to integrate with ROR, it’s authenticating using JWT successfully(session stored in cookie ), But it’s redirect to login page instead navigating to deep link url.

Found 302 error code whiler redirecting . I am using jwt token to authentication in 6.4.3 vesion.

Is anything i have to add in kibana side for ROR authentication ,skip login page redirection .

Please suggest


(Simone Scarduzio) #14

Hi @mohankumar,

Embedding a visualization via iframe while Kibana is protected by authentication means that the credentials have to pass as HTTP GET parameters. Please have a look at the JWT deep linking section of the docs.


(Mohankumar) #15

Hi Simone,

I have checked with jwt deep linking, The issue i am facing While i am integrating iframe.

The following is working using href or directly using browser tab ,it’s retrieving results.

a href=“https://10.2.1.18:5601/app/kibana#/home?_g=()?jwt=eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NDI2Mjk3NjEsImV4cCI6MTU0MzIyOTc2MSwidXNlciI6IiotNjktKiIsInJvbGVzIjoid3JpdGVyIn0.YrWdHiDNxLjJpHo7yy_Yiz4DxlNmnhmOk_T4fI1WNQg

But when i tried the same one using iframe like follows

iframe src=“https://10.2.1.18:5601/app/kibana#/home?_g=()?jwt=eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NDI2Mjk3NjEsImV4cCI6MTU0MzIyOTc2MSwidXNlciI6IiotNjktKiIsInJvbGVzIjoid3JpdGVyIn0.YrWdHiDNxLjJpHo7yy_Yiz4DxlNmnhmOk_T4fI1WNQg

It’s keep on sending request to kibana, But the authentication returns 200, But it’s still in loginpage and keep on trying , the follows i am getting in kibana with debug mode

log   [12:43:34.954] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/.

respons [12:43:34.955] GET / 302 1ms - 9.0B
log [12:43:34.967] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/login.
log [12:43:34.968] [debug][readonlyrest_kbn] try extract credentials from JSON
log [12:43:34.969] [debug][readonlyrest_kbn] try extract credentials from X_FORWARDED_USER
respons [12:43:34.968] GET /login 200 9ms - 9.0B
log [12:43:34.985] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/plugins/readonlyrest_kbn/js/jquery-3.2.1.min.js.
respons [12:43:34.986] GET /plugins/readonlyrest_kbn/js/jquery-3.2.1.min.js 304 2ms - 9.0B
log [12:43:35.062] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/plugins/readonlyrest_kbn/js/jquery.shake.js.
respons [12:43:35.063] GET /plugins/readonlyrest_kbn/js/jquery.shake.js 304 12ms - 9.0B
log [12:43:35.096] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/plugins/readonlyrest_kbn/js/bootstrap.min.js.
respons [12:43:35.097] GET /plugins/readonlyrest_kbn/js/bootstrap.min.js 304 2ms - 9.0B
log [12:43:35.121] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/plugins/readonlyrest_kbn/js/jquery.blockUI.min.js.
respons [12:43:35.122] GET /plugins/readonlyrest_kbn/js/jquery.blockUI.min.js 304 12ms - 9.0B
log [12:43:35.157] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/login?jwt=eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NDI2Mjk3NjEsImV4cCI6MTU0MzIyOTc2MSwidXNlciI6IiotNjktKiIsInJvbGVzIjoid3JpdGVyIn0.YrWdHiDNxLjJpHo7yy_Yiz4DxlNmnhmOk_T4fI1WNQg&nextUrl=%2F&username=test.
log [12:43:35.159] [debug][readonlyrest_kbn] forwarding whitelisted header for login attempt 0: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NDI2Mjk3NjEsImV4cCI6MTU0MzIyOTc2MSwidXNlciI6IiotNjktKiIsInJvbGVzIjoid3JpdGVyIn0.YrWdHiDNxLjJpHo7yy_Yiz4DxlNmnhmOk_T4fI1WNQg
log [12:43:35.159] [debug][readonlyrest_kbn] groupCurrent not found in cookie, that’s ok.
log [12:43:35.160] [debug][readonlyrest_kbn] groupCurrent not found in cookie, that’s ok.
log [12:43:35.183] [debug][readonlyrest_kbn] received identity payload: {“x-ror-current-group”:null,“x-ror-username”:"-69-",“x-ror-kibana-hidden-apps”:[],“x-ror-kibana_access”:“admin”,“x-ror-available-groups”:[]}
log [12:43:35.186] [debug][readonlyrest_kbn] ON_IDENTITY no kibana index from headers, setting kibana index to default configured .kibana
respons [12:43:35.158] GET /login?jwt=eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NDI2Mjk3NjEsImV4cCI6MTU0MzIyOTc2MSwidXNlciI6IiotNjktKiIsInJvbGVzIjoid3JpdGVyIn0.YrWdHiDNxLjJpHo7yy_Yiz4DxlNmnhmOk_T4fI1WNQg&nextUrl=%2F&username=test 200 29ms - 9.0B

Is anything i have missed to add in Kibana.yml, Please suggest


(Mohankumar) #16

Hi Simone,

Th thing is kibana is not allowed to connect the other origin and sites. So the request from other sites are restricted.

Now i have changed the following settings in ./plugins/readonlyrest_kbn/node_modules/hapi-auth-cookie/lib/index.js

Existing:-
isSameSite: Joi.valid(‘Strict’, ‘Lax’).allow(false).default(‘Strict’),
isSameSite: true,

Now:-
isSameSite: false,
isSecure: Joi.boolean().default(false)

Now it’s working.


Login authentication problem with embedded Iframe
(Simone Scarduzio) #17

Wow, well done! That makes sense :slight_smile: I shall add an option to the kibana.yml settings and instruct people to enable it when they need to use deep linking.

Man I love it when my customers are smarter than me :smile::muscle:


(Mohankumar) #18

:slight_smile: Simone.

./plugins/readonlyrest_kbn/node_modules/hapi-auth-cookie/README.md .

This helps me to clarify the cookie behaviour

If we have the above README.md link in documentation anywhere, It could be better for more understanding


(Simone Scarduzio) #19

Soon releasing 1.16.30 with this fix in place!