JWT Token authentication getting forbidden issue

mohankumar · November 12, 2018, 7:46am

Hi Team,

I am facing some forbidden access while using jwt token, I knew the user not allowed to access, help me to address this issue.

My JWT Token is :–

eyJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1NDIwMDgzOTEsImlzcyI6ImNvbS5zZWN1cmVpcSIsInVzZXJfY2xhaW0iOiJtb2hhbiIsImV4cCI6MTU0MjA2ODM5MX0.qAp7roV43hTgwQQSIVs5oX_mdL1x_9wQCVOvo1ltDjl9kTbREGqp-glVCoZNmfgRvHbSKQBzeRVB5hVjlRVpbw

decoded value -

{“alg”:“HS512”}{“iat”:1542008391,“iss”:“com.abc”,“user_claim”:“mohan”,“exp”:1542068391}*^780AVh^gKp@%Ne8DDA U
Mv)�syAcio

and my readonlyrest.yml as follows

readonlyrest:
# IMPORTANT FOR LOGIN/LOGOUT TO WORK WITH ROR PLUGIN FOR KIBANA
prompt_for_basic_auth: false

access_control_rules:

#####################################################################################
# These credentials have no limitations, and shall be used only by the Kibana deamon.
#####################################################################################
- name: "::KIBANA-SRV::"
  auth_key: kibana:kibana
  verbosity: error

- name: Valid JWT token with a viewer role
  kibana_access: ro
  jwt_auth:
    name: "jwt_provider_1"
    roles: ["viewer"]
  
    
- name: Valid JWT token with a writer role
  kibana_access: rw
  jwt_auth:
    name: "jwt_provider_1"
    roles: ["writer"]
    
jwt: 
- name: jwt_provider_1
  signature_algo: HS512
  signature_key: "eyJzdWIiOiIxMjM0NTY3ODkiLCJpYXQiOjE1Mzg0Nzk5NDIsImlzcyI6ImNvbS5zZWN1cmVpcSIsImV4cCI6MTUzODQ4MDAwMn0"
  user_claim: user
  roles_claim: resource_access.client-app.roles # JSON-path style
  header_name: Authorization

I am getting the following exception the continuously elasticsearch.log

[2018-11-12T07:44:12,024][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1310574987-1181151371#41913, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [Valid JWT token with a viewer role->[jwt_auth->false]], [Valid JWT token with a writer role->[jwt_auth->false]] }

[2018-11-12T07:44:12,155][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1466361979-730537051#41916, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [Valid JWT token with a viewer role->[jwt_auth->false]], [Valid JWT token with a writer role->[jwt_auth->false]] }

[2018-11-12T07:44:12,285][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:692634975-941180594#41917, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [Valid JWT token with a viewer role->[jwt_auth->false]], [Valid JWT token with a writer role->[jwt_auth->false]] }

mohankumar · November 12, 2018, 8:04am

Also please mention the available key factories for jwt authentication

sscarduzio · November 12, 2018, 10:28am

Hi @mohankumar,

We updated the JWT library version and the minimum key length now is 256, please check with your ES logs, there should be an exception being thrown that mentions exactly this. I should change the example in the documentation btw.

EDIT changed the docs!

EDIT AFAIK we support all the algorithms except elliptic curve at the moment (requires some fix in our code).

mohankumar · November 12, 2018, 11:08am

Hi Simone,

I have changed my key to 256 chars as follows

jwt:
- name: jwt_provider_1
signature_algo: HS512
signature_key: “eyJzdWIiOiIxMjM0NTY3ODkiLCJpYXQiOjE1Mzg0Nzk5NDIsImlzcyI6ImNvbS5zZWN1cmVpcSIsImV4cCI6MTUzODQ4MDAwMn0eyJzdWIiOiIxMjM0NTY3ODkiLCJpYXQiOjE1Mzg0Nzk5NDIsImlzcyI6ImNvbS5zZWN1cmVpcSIsImV4cCI6MTUzODQ4MDAwMn0eyJzdWIiOiIxMjM0NTY3ODkiLCJpYXQiOjE1Mzg0Nzk5NDIsIasfmlzcy”
user_claim: user
roles_claim: resource_access.client-app.roles # JSON-path style
header_name: Authorization

[2018-11-12T11:06:09,777][INFO ][t.b.r.e.IndexLevelActionFilter] [10.2.1.25] Settings observer refreshing…
[2018-11-12T11:06:09,787][INFO ][t.b.r.a.ACL ] ADDING BLOCK: { name: ‘::KIBANA-SRV::’, policy: ALLOW, rules: [auth_key]}
[2018-11-12T11:06:09,787][ERROR][t.b.r.a.b.r.i.JwtAuthSyncRule] HS512 KeyFactory not available
[2018-11-12T11:06:09,787][INFO ][t.b.r.a.ACL ] ADDING BLOCK: { name: ‘Valid JWT token with a viewer role’, policy: ALLOW, rules: [kibana_access, jwt_auth]}
[2018-11-12T11:06:09,788][INFO ][t.b.r.e.IndexLevelActionFilter] [10.2.1.25] Configuration reloaded - ReadonlyREST enabled
[2018-11-12T11:06:10,076][INFO ][t.b.r.e.SettingsObservableImpl] all ok, written settings

I am getting the following error [2018-11-12T11:06:09,787][ERROR][t.b.r.a.b.r.i.JwtAuthSyncRule] HS512 KeyFactory not available

Is there anything i am missing to add

mohankumar · November 12, 2018, 2:57pm

Hi simone,

In addition to that while debugging i am getting the following, could you help me to figure out this.

[2018-11-12T14:55:03,076][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:1163715800-1484612747#3323, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:10.2.1.25, IDX:<N/A>, MET:GET, PTH:/readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJleUp6ZFdJaU9pSXhNak0wTlRZM09Ea2lMQ0pwWVhRaU9qRTFNemcwTnprNU5ESXNJbWx6Y3lJNkltTnZiUzV6WldOMWNtVnBjU0lzSW1WNGNDSTZNVFV6T0RRNE1EQXdNbjAiLCJpYXQiOjE1NDIwMDcyNjUsImlzcyI6ImNvbS5zZWN1cmVpcSIsInVzZXJfY2xhaW0iOiJraWJhbmEiLCJleHAiOjE1NDIwNjcyNjR9.F9KubbSxbtuWmi3hhW00NjnXpujKnI6kg5t4edyr5LdEcs0ctHOge5pynu2bd0RtOuWFCCngfQTdt8yhXO-qw, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [Valid JWT token with a viewer role->[jwt_auth->false]] }
[2018-11-12T14:55:03,159][DEBUG][t.b.r.a.ACL ] checking request:1319830526-1198912710#3324
[2018-11-12T14:55:03,159][DEBUG][t.b.r.a.b.r.i.AuthKeySyncRule] Basic auth header or auth key not present!
[2018-11-12T14:55:03,159][DEBUG][t.b.r.a.b.Block ] [::KIBANA-SRV::] the request matches no rules in this block: { ID:1319830526-1198912710#3324, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:10.2.1.25, IDX:<N/A>, MET:GET, PTH:/readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJleUp6ZFdJaU9pSXhNak0wTlRZM09Ea2lMQ0pwWVhRaU9qRTFNemcwTnprNU5ESXNJbWx6Y3lJNkltTnZiUzV6WldOMWNtVnBjU0lzSW1WNGNDSTZNVFV6T0RRNE1EQXdNbjAiLCJpYXQiOjE1NDIwMDcyNjUsImlzcyI6ImNvbS5zZWN1cmVpcSIsInVzZXJfY2xhaW0iOiJraWJhbmEiLCJleHAiOjE1NDIwNjcyNjR9.F9KubbSxbtuWmi3hhW00NjnXpujKnI6kg5t4edyr5LdEcs0ctHOge5pynu2bd0RtOuWFCCngfQTdt8yhXO-qw, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]] }
[2018-11-12T14:55:03,161][DEBUG][t.b.r.a.b.Block ] [Valid JWT token with a viewer role] the request matches no rules in this block: { ID:1319830526-1198912710#3324, TYP:RRAdminRequest, CGR:N/A, USR:[no basic auth header], BRS:false, KDX:null, ACT:cluster:admin/rradmin/refreshsettings, OA:10.2.1.18, DA:10.2.1.25, IDX:<N/A>, MET:GET, PTH:/readonlyrest/metadata/current_user, CNT:<N/A>, HDR:{authorization=Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJleUp6ZFdJaU9pSXhNak0wTlRZM09Ea2lMQ0pwWVhRaU9qRTFNemcwTnprNU5ESXNJbWx6Y3lJNkltTnZiUzV6WldOMWNtVnBjU0lzSW1WNGNDSTZNVFV6T0RRNE1EQXdNbjAiLCJpYXQiOjE1NDIwMDcyNjUsImlzcyI6ImNvbS5zZWN1cmVpcSIsInVzZXJfY2xhaW0iOiJraWJhbmEiLCJleHAiOjE1NDIwNjcyNjR9.F9KubbSxbtuWmi3hhW00NjnXpujKnI6kg5t4edyr5LdEcs0ctHOge5pynu2bd0RtOuWFCCngfQTdt8yhXO-qw, Connection=close, content-length=0, Host=10.2.1.25:9200}, HIS:[::KIBANA-SRV::->[auth_key->false]], [Valid JWT token with a viewer role->[jwt_auth->false]] }
[2018-11-12T14:55:03,161][DEBUG][r.suppressed ] path: /_readonlyrest/metadata/current_user, params: {}
tech.beshu.ror.es.IndexLevelActionFilter$1$1: forbidden
at tech.beshu.ror.es.IndexLevelActionFilter$1.onForbidden(IndexLevelActionFilter.java:163) ~[?:?]
at tech.beshu.ror.acl.ACL.lambda$check$4(ACL.java:208) ~[?:?]
at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) ~[?:1.8.0_131]
at java.util.concurrent.CompletableFuture.uniApplyStage(CompletableFuture.java:614) ~[?:1.8.0_131]
at java.util.concurrent.CompletableFuture.thenApply(CompletableFuture.java:1983) ~[?:1.8.0_131]
at tech.beshu.ror.acl.ACL.check(ACL.java:203) ~[?:?]

mohankumar · November 12, 2018, 5:50pm

Hi Simone ,

I have tried all the symmetric key algorithms,

[2018-11-12T17:48:01,841][ERROR][t.b.r.a.b.r.i.JwtAuthSyncRule] HS256 KeyFactory not available
[2018-11-12T17:48:01,841][ERROR][t.b.r.a.b.r.i.JwtAuthSyncRule] HS512 KeyFactory not available

I am getting the above exception, Is i missed anything to add

mohankumar · November 12, 2018, 6:46pm

I have worked with Assymetric ket with RSA, i am getting the following exception in debug mode

[2018-11-12T18:39:50,503][DEBUG][r.suppressed ] path: /_readonlyrest/metadata/current_user, params: {}
tech.beshu.ror.es.IndexLevelActionFilter$1$1: forbidden
at tech.beshu.ror.es.IndexLevelActionFilter$1.onForbidden(IndexLevelActionFilter.java:163) ~[?:?]
at tech.beshu.ror.acl.ACL.lambda$check$4(ACL.java:208) ~[?:?]
at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) ~[?:1.8.0_131]
at java.util.concurrent.CompletableFuture.uniApplyStage(CompletableFuture.java:614) ~[?:1.8.0_131]
at java.util.concurrent.CompletableFuture.thenApply(CompletableFuture.java:1983) ~[?:1.8.0_131]
at tech.beshu.ror.acl.ACL.check(ACL.java:203) ~[?:?]
at tech.beshu.ror.es.IndexLevelActionFilter.handleRequest(IndexLevelActionFilter.java:158) ~[?:?]
at tech.beshu.ror.es.IndexLevelActionFilter.lambda$apply$1(IndexLevelActionFilter.java:134) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
at tech.beshu.ror.es.IndexLevelActionFilter.apply(IndexLevelActionFilter.java:130) ~[?:?]
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:139) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:81) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:87) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:76) ~[elasticsearch-6.3.0.jar:6.3.0]

Please suggest

sscarduzio · November 12, 2018, 9:35pm

Hi @mohankumar, in the JWT tests we run successfully with a HS256 JWT without specifying any algorithm.

i.e. simply like this:

jwt:
 - name: test-jwt
   signature_key: ".....your-key...."

sscarduzio · November 13, 2018, 6:32pm

Hi @mohankumar, the new 1.16.29 is out with support to the latest Kibana/ES 6.4.3, and revisited JWT signature check.

Also I updated the documentation, please have a look at the new section describing algorithms

mohankumar · November 14, 2018, 6:43am

Thanks Simone, will try and get back you soon

mohankumar · November 14, 2018, 1:38pm

Hi Simone, JWT auth working perfectly now ,

I have used the following to generate token, if anyone need please refer

Jwts.builder()
.signWith(io.jsonwebtoken.SignatureAlgorithm.HS512,TextCodec.BASE64.encode(“your_key”))
.setIssuedAt(new Date(System.currentTimeMillis()))
.setIssuer("")
.claim(“user”,“bob”)
.claim(“roles”,“writer”)
.compact();

sscarduzio · November 14, 2018, 3:16pm

Brilliant, we are using the same library too, haha!

mohankumar · November 16, 2018, 3:28pm

Hi Simone,

Facing a issue while integrating dahsboards, not sure issue with ROR, But the thing when i am trying to integrate using iframe with other applications,

Without ROR if i am directly integrating with iframe it’s working, But when tried to integrate with ROR, it’s authenticating using JWT successfully(session stored in cookie ), But it’s redirect to login page instead navigating to deep link url.

Found 302 error code whiler redirecting . I am using jwt token to authentication in 6.4.3 vesion.

Is anything i have to add in kibana side for ROR authentication ,skip login page redirection .

Please suggest

sscarduzio · November 17, 2018, 7:39am

Hi @mohankumar,

Embedding a visualization via iframe while Kibana is protected by authentication means that the credentials have to pass as HTTP GET parameters. Please have a look at the JWT deep linking section of the docs.

mohankumar · November 19, 2018, 12:29pm

Hi Simone,

I have checked with jwt deep linking, The issue i am facing While i am integrating iframe.

The following is working using href or directly using browser tab ,it’s retrieving results.

a href=“https://10.2.1.18:5601/app/kibana#/home?_g=()?jwt=eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NDI2Mjk3NjEsImV4cCI6MTU0MzIyOTc2MSwidXNlciI6IiotNjktKiIsInJvbGVzIjoid3JpdGVyIn0.YrWdHiDNxLjJpHo7yy_Yiz4DxlNmnhmOk_T4fI1WNQg”

But when i tried the same one using iframe like follows

iframe src=“https://10.2.1.18:5601/app/kibana#/home?_g=()?jwt=eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NDI2Mjk3NjEsImV4cCI6MTU0MzIyOTc2MSwidXNlciI6IiotNjktKiIsInJvbGVzIjoid3JpdGVyIn0.YrWdHiDNxLjJpHo7yy_Yiz4DxlNmnhmOk_T4fI1WNQg”

It’s keep on sending request to kibana, But the authentication returns 200, But it’s still in loginpage and keep on trying , the follows i am getting in kibana with debug mode

log   [12:43:34.954] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/.

respons [12:43:34.955] GET / 302 1ms - 9.0B
log [12:43:34.967] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/login.
log [12:43:34.968] [debug][readonlyrest_kbn] try extract credentials from JSON
log [12:43:34.969] [debug][readonlyrest_kbn] try extract credentials from X_FORWARDED_USER
respons [12:43:34.968] GET /login 200 9ms - 9.0B
log [12:43:34.985] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/plugins/readonlyrest_kbn/js/jquery-3.2.1.min.js.
respons [12:43:34.986] GET /plugins/readonlyrest_kbn/js/jquery-3.2.1.min.js 304 2ms - 9.0B
log [12:43:35.062] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/plugins/readonlyrest_kbn/js/jquery.shake.js.
respons [12:43:35.063] GET /plugins/readonlyrest_kbn/js/jquery.shake.js 304 12ms - 9.0B
log [12:43:35.096] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/plugins/readonlyrest_kbn/js/bootstrap.min.js.
respons [12:43:35.097] GET /plugins/readonlyrest_kbn/js/bootstrap.min.js 304 2ms - 9.0B
log [12:43:35.121] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/plugins/readonlyrest_kbn/js/jquery.blockUI.min.js.
respons [12:43:35.122] GET /plugins/readonlyrest_kbn/js/jquery.blockUI.min.js 304 12ms - 9.0B
log [12:43:35.157] [debug][legacy-platform-proxifier] Request will be handled by proxy GET:/login?jwt=eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NDI2Mjk3NjEsImV4cCI6MTU0MzIyOTc2MSwidXNlciI6IiotNjktKiIsInJvbGVzIjoid3JpdGVyIn0.YrWdHiDNxLjJpHo7yy_Yiz4DxlNmnhmOk_T4fI1WNQg&nextUrl=%2F&username=test.
log [12:43:35.159] [debug][readonlyrest_kbn] forwarding whitelisted header for login attempt 0: Bearer eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NDI2Mjk3NjEsImV4cCI6MTU0MzIyOTc2MSwidXNlciI6IiotNjktKiIsInJvbGVzIjoid3JpdGVyIn0.YrWdHiDNxLjJpHo7yy_Yiz4DxlNmnhmOk_T4fI1WNQg
log [12:43:35.159] [debug][readonlyrest_kbn] groupCurrent not found in cookie, that’s ok.
log [12:43:35.160] [debug][readonlyrest_kbn] groupCurrent not found in cookie, that’s ok.
log [12:43:35.183] [debug][readonlyrest_kbn] received identity payload: {“x-ror-current-group”:null,“x-ror-username”:“-69-”,“x-ror-kibana-hidden-apps”:,“x-ror-kibana_access”:“admin”,“x-ror-available-groups”:}
log [12:43:35.186] [debug][readonlyrest_kbn] ON_IDENTITY no kibana index from headers, setting kibana index to default configured .kibana
respons [12:43:35.158] GET /login?jwt=eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NDI2Mjk3NjEsImV4cCI6MTU0MzIyOTc2MSwidXNlciI6IiotNjktKiIsInJvbGVzIjoid3JpdGVyIn0.YrWdHiDNxLjJpHo7yy_Yiz4DxlNmnhmOk_T4fI1WNQg&nextUrl=%2F&username=test 200 29ms - 9.0B

Is anything i have missed to add in Kibana.yml, Please suggest

mohankumar · November 19, 2018, 5:56pm

Hi Simone,

Th thing is kibana is not allowed to connect the other origin and sites. So the request from other sites are restricted.

Now i have changed the following settings in ./plugins/readonlyrest_kbn/node_modules/hapi-auth-cookie/lib/index.js

Existing:-
isSameSite: Joi.valid(‘Strict’, ‘Lax’).allow(false).default(‘Strict’),
isSameSite: true,

Now:-
isSameSite: false,
isSecure: Joi.boolean().default(false)

Now it’s working.

sscarduzio · November 20, 2018, 6:32am

Wow, well done! That makes sense I shall add an option to the kibana.yml settings and instruct people to enable it when they need to use deep linking.

Man I love it when my customers are smarter than me

mohankumar · November 20, 2018, 7:53am

Simone.

./plugins/readonlyrest_kbn/node_modules/hapi-auth-cookie/README.md .

This helps me to clarify the cookie behaviour

If we have the above README.md link in documentation anywhere, It could be better for more understanding

sscarduzio · November 22, 2018, 7:58am

Soon releasing 1.16.30 with this fix in place!