Kibana behind GCP Identity Aware Proxy

ademaria · June 2, 2018, 6:33am

Hi Simone,

do you have a complete example of how to integrate Kibana behind Google Identity Aware Proxy?

I tried to configure the JWT section to fit IAP Docs but:

Their ES256 algorithm seems unsupported ([ERROR][t.b.r.a.b.r.i.JwtAuthSyncRule] ES256 KeyFactory not available )
They seem to provide multiple signatures, not one.
They don’t seem to documents where their scopes would come from.

Is anybody else using it? Or is anybody else using any other approach?

Using the latest plugin with 5.6.9.

A working example would be great.

Regards
Alessandro

sscarduzio · June 2, 2018, 8:18pm

Hello Alessandro,

I reproduced this bug and working with people from jjwt library to find the best solution. Will update.

ademaria · June 2, 2018, 10:09pm

as an update, when testing it appears as if IAP is using different settings than what it is in the documentation.

The actual header seems to be: GCP_IAAP_AUTH_TOKEN
The actual alg seems to be RS256

I wonder if the documentation is incorrect or I am doing something else wrong.

sscarduzio · June 3, 2018, 7:08am

That’s interesting. Maybe google cloud folks can comment on this?

ademaria · June 3, 2018, 8:05am

Sure, I will let you know.

ademaria · June 7, 2018, 12:56pm

I think my comment on GCP_IAAP_AUTH_TOKEN was a red herring.

Did you hear back re: ES256?

ademaria · June 7, 2018, 12:58pm

github.com/jwtk/jjwt

ES256 signature length

opened 05:05PM - 11 Sep 16 UTC

closed 09:57PM - 11 Sep 16 UTC

martijndwars

bug duplicate

According to [draft-ietf-json-web-algorithms](https://tools.ietf.org/html/draft-…ietf-jose-json-web-algorithms-24#section-3.4), the length of the signature for ES256 must be 64 bytes. The signature that is being produced by jjwt is longer (e.g. the base64 encoded string is 94 characters, which corresponds to 126 bytes). When I replaced jjwt by [jose4j](https://bitbucket.org/b_c/jose4j/), the problem was solved. Apparently, they encountered this [issue](https://bitbucket.org/b_c/jose4j/issues/6/ecdsa-signature-values-sometimes-too-small) as well, though I'm not sure what is going wrong in jjwt. ``` java private Key privateKey; // BCECPrivateKey instance // ... public void encode() { String compactJws = Jwts.builder() .setHeaderParam("typ", "JWT") .setHeaderParam("alg", "ES256") .setAudience("xxx") .setExpiration(new Date(1473689295000L)) .setSubject("yyy") .signWith(SignatureAlgorithm.ES256, privateKey) .compact(); // compactJws will be 94 characters long -- too long } ```

This issue suggests the signature itself is supported?

sscarduzio · June 8, 2018, 6:15am

No but I’m trying to make this work, do you have an example ES256 private key in the format given out by google cloud?

ademaria · June 8, 2018, 6:38am

Wouldn’t you need the public key, like in the list provided by the link on point 2 above? If not I’ll try later from my laptop.

sscarduzio · June 8, 2018, 9:30am

ideally a private and public, to create and validate the token in the unit tests. But also a token and its public key will do.

ademaria · December 27, 2018, 9:09am

Hi Simone,

trying again on this now that you have added the EC style signature.
This is my config

 readonlyrest:
 jwt: 
  - name: jwt_provider_1
    signature_algo: EC
    signature_key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9e1x7YRZg53A5zIJ0p2ZQ9yTrgPL\nGIf4ntOk+4O2R2+ryIObueyenPXE92tYG1NlKjDNyJLc7tsxi0UUnyxpig==\n-----END PUBLIC KEY-----\n"
    user_claim: email
    header_name: x-goog-iap-jwt-assertion
  access_control_rules:
  - name: Valid JWT token with a writer role
    kibana_access: rw
    jwt_auth:
      name: "jwt_provider_1"
      roles: ["writer"]

however I do not even see an attempt from kibana to interpret the JWT token coming from IAP.

How do I debug this?

example log on Kibana:
{"type":"response","@timestamp":"2018-12-27T09:05:46Z","tags":[],"pid":1,"method":"get","statusCode":304,"req":{"url":"/ui/favicons/favicon-16x16.png","method":"get","headers":{"host":"ZZZZZZ","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36","accept":"image/webp,image/apng,image/*,*/*;q=0.8","referer":"https://ZZZZZZ/app/readonlyrest_kbn","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,it;q=0.8","if-none-match":"\"6168e24a3738b2bbb81e132e53f2e70367329f22\"","if-modified-since":"Thu, 06 Dec 2018 20:20:33 GMT","x-cloud-trace-context":"86498bc6e57540fa7e0b9d579b34da76/8449657059393905291","x-goog-authenticated-user-id":"accounts.google.com:100164341147360878367","x-goog-authenticated-user-email":"accounts.google.com:ademaria@google.com","x-goog-iap-jwt-assertion":"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjZCRWVvQSJ9.eyJpc3MiOiJodHRwczovL2Nsb3VkLmdvb2dsZS5jb20vaWFwIiwic3ViIjoiYWNjb3VudHMuZ29vZ2xlLmNvbToxMDAxNjQzNDExNDczNjA4NzgzNjciLCJlbWFpbCI6ImFkZW1hcmlhQGdvb2dsZS5jb20iLCJhdWQiOiIvcHJvamVjdHMvMjUxMTY3MTkzOTAyL2dsb2JhbC9iYWNrZW5kU2VydmljZXMvMzQ4MjUxMDU5NTY3NDg2NjU0NyIsImV4cCI6MTU0NTkwMjE0NiwiaWF0IjoxNTQ1OTAxNTQ2LCJoZCI6Imdvb2dsZS5jb20ifQ.8iADNc8sDxPY6_8bKmpfrai4d221Hh5ZmllTk6PBiX1PmlpDUkTI3S8LpWr-uyNmjmCvN70FQRSfbhdtgk3ujw" XXXXXXXXXXX

sscarduzio · December 28, 2018, 4:43am

Hello @ademaria!

Our Kibana plugin does not validate the JWT directly, it passes it to the ES plugin for inspection. If the ES plugin is able to resolve an identity from the claims, we log in the Kibana user.

So if I was you, I’d make my tests directly with cURL towards port 9200 (Elasticsearch) and wait for a 200 code as a positive test result.

Something along the lines of:

$ curl -ks -u admin:dev https://localhost:9200/_readonlyrest/metadata/current_user | jq

{
  "x-ror-current-group": "ROR (admin)",
  "x-ror-username": "admin",
  "x-ror-kibana-hidden-apps": [],
  "x-ror-kibana_access": "admin",
  "x-ror-available-groups": [
    "ROR (admin)"
  ]
}

But instead of the -u admin:dev you’d use:

 -H 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjZCRWVvQSJ9.eyJpc3MiOiJodHRwczovL2Nsb3VkLmdvb2dsZS5jb20vaWFwIiwic3ViIjoiYWNjb3VudHMuZ29vZ2xlLmNvbToxMDAxNjQzNDExNDczNjA4NzgzNjciLCJlbWFpbCI6ImFkZW1hcmlhQGdvb2dsZS5jb20iLCJhdWQiOiIvcHJvamVjdHMvMjUxMTY3MTkzOTAyL2dsb2JhbC9iYWNrZW5kU2VydmljZXMvMzQ4MjUxMDU5NTY3NDg2NjU0NyIsImV4cCI6MTU0NTkwMjE0NiwiaWF0IjoxNTQ1OTAxNTQ2LCJoZCI6Imdvb2dsZS5jb20ifQ.8iADNc8sDxPY6_8bKmpfrai4d221Hh5ZmllTk6PBiX1PmlpDUkTI3S8LpWr-uyNmjmCvN70FQRSfbhdtgk3ujw"

ademaria · January 2, 2019, 5:07pm

Thanks Simone,
i did try and I get the following error:

[myesdb-client-5fff6d8dd4-qrnkq] [2019-01-02T17:03:08,238][WARN ][r.suppressed             ] [myesdb-client-5fff6d8dd4-qrnkq] path: /_readonlyrest/metadata/current_user, params: {} 
[myesdb-client-5fff6d8dd4-qrnkq] java.lang.RuntimeException: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: DerInputStream.getLength(): lengthTag=111, too big.

I assume I am not passing the key in correctly?

I am using this:
signature_key: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9e1x7YRZg53A5zIJ0p2ZQ9yTrgPL
GIf4ntOk+4O2R2+ryIObueyenPXE92tYG1NlKjDNyJLc7tsxi0UUnyxpig==
-----END PUBLIC KEY-----

The key is taken from https://www.gstatic.com/iap/verify/public_key

{"error":{"root_cause":[{"type":"runtime_exception","reason":"java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: DerInputStream.getLength(): lengthTag=111, too big."}],"type":"runtime_exception","reason":"java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: DerInputStream.getLength(): lengthTag=111, too big.","caused_by":{"type":"invalid_key_spec_exception","reason":"java.security.InvalidKeyException: IOException: DerInputStream.getLength(): lengthTag=111, too big.","caused_by":{"type":"invalid_key_exception","reason":"IOException: DerInputStream.getLength(): lengthTag=111, too big."}}},"status":500}

ademaria · January 11, 2019, 1:02pm

@sscarduzio do you have anything to suggest re: this error?

sscarduzio · January 11, 2019, 1:16pm

Hi Alessandro, thanks for pinging on this thread. It’s been a hectic week.
The first thing to try would be to remove the BEGIN/END lines and concatenate the key in the same line, wrapped by double quotes.

sscarduzio · January 15, 2019, 12:20pm

Hi @ademaria, given this configuration:

 jwt:
    - name: jwt1
      signature_key: "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9e1x7YRZg53A5zIJ0p2ZQ9yTrgPLGIf4ntOk+4O2R2+ryIObueyenPXE92tYG1NlKjDNyJLc7tsxi0UUnyxpig=="

I have no InvalidKeyException, and the key gets correctly read into a ECPublicKeyImpl object.

However, given your JWT token example, the token can’t be validated. Which is not because it’s expired, but can’t really pass the validation given the public key (the first one in the array you linked):

// 20190115121104
// https://www.gstatic.com/iap/verify/public_key

{
  "2nMJtw": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9e1x7YRZg53A5zIJ0p2ZQ9yTrgPL\nGIf4ntOk+4O2R2+ryIObueyenPXE92tYG1NlKjDNyJLc7tsxi0UUnyxpig==\n-----END PUBLIC KEY-----\n",
  "6BEeoA": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElmi1hJdqtbvdX1INOf5B9dWvkydY\noowHUXiw8ELWzk/YHESNr8vXQoyOuLOEtLZeCQbFkeLUqxYp1sTArKNu/A==\n-----END PUBLIC KEY-----\n",
  "FAWt5w": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8auUAdTS54HmUuIabrTKvWawxmbs\n81kdbzQMV/Tae0EhLgin8qnJ4lklJrxEzksXg5OtBuzE62DIj+CePN20Pg==\n-----END PUBLIC KEY-----\n",
  "f9R3yg": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESqCmEwytkqG6tL6a2GTQGmSNI4jH\nYo5MeDUs7DpETVhCXXLIFrLg2sZvNqw8SGnnonLoeqgOSqRdjJBGt4I6jQ==\n-----END PUBLIC KEY-----\n",
  "rTlk-g": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsm2pfkO5SYLW7vSv3e+XkKBH6SLr\nxPL5a0Z2MwWfJXZXFDQTWzyEwtIADMmS83hp1XqN57Vcu3Nmt7IvhnqR7g==\n-----END PUBLIC KEY-----\n"
}

I have had more luck with the second key listed in the JSON, using that, I get:

JWT expired at 2018-12-27T09:15:46Z. Current time: 2019-01-15T12:17:58Z, a difference of 1652532064 milliseconds.  Allowed clock skew: 0 milliseconds.

So I really think it works, just a matter of selecting the right key, and formatting the key in a single long string without “—BEGIN…” and “—END”, and without the new lines.