trying again on this now that you have added the EC style signature.
This is my config
readonlyrest:
jwt:
- name: jwt_provider_1
signature_algo: EC
signature_key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9e1x7YRZg53A5zIJ0p2ZQ9yTrgPL\nGIf4ntOk+4O2R2+ryIObueyenPXE92tYG1NlKjDNyJLc7tsxi0UUnyxpig==\n-----END PUBLIC KEY-----\n"
user_claim: email
header_name: x-goog-iap-jwt-assertion
access_control_rules:
- name: Valid JWT token with a writer role
kibana_access: rw
jwt_auth:
name: "jwt_provider_1"
roles: ["writer"]
however I do not even see an attempt from kibana to interpret the JWT token coming from IAP.
How do I debug this?
example log on Kibana: {"type":"response","@timestamp":"2018-12-27T09:05:46Z","tags":[],"pid":1,"method":"get","statusCode":304,"req":{"url":"/ui/favicons/favicon-16x16.png","method":"get","headers":{"host":"ZZZZZZ","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36","accept":"image/webp,image/apng,image/*,*/*;q=0.8","referer":"https://ZZZZZZ/app/readonlyrest_kbn","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,it;q=0.8","if-none-match":"\"6168e24a3738b2bbb81e132e53f2e70367329f22\"","if-modified-since":"Thu, 06 Dec 2018 20:20:33 GMT","x-cloud-trace-context":"86498bc6e57540fa7e0b9d579b34da76/8449657059393905291","x-goog-authenticated-user-id":"accounts.google.com:100164341147360878367","x-goog-authenticated-user-email":"accounts.google.com:ademaria@google.com","x-goog-iap-jwt-assertion":"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjZCRWVvQSJ9.eyJpc3MiOiJodHRwczovL2Nsb3VkLmdvb2dsZS5jb20vaWFwIiwic3ViIjoiYWNjb3VudHMuZ29vZ2xlLmNvbToxMDAxNjQzNDExNDczNjA4NzgzNjciLCJlbWFpbCI6ImFkZW1hcmlhQGdvb2dsZS5jb20iLCJhdWQiOiIvcHJvamVjdHMvMjUxMTY3MTkzOTAyL2dsb2JhbC9iYWNrZW5kU2VydmljZXMvMzQ4MjUxMDU5NTY3NDg2NjU0NyIsImV4cCI6MTU0NTkwMjE0NiwiaWF0IjoxNTQ1OTAxNTQ2LCJoZCI6Imdvb2dsZS5jb20ifQ.8iADNc8sDxPY6_8bKmpfrai4d221Hh5ZmllTk6PBiX1PmlpDUkTI3S8LpWr-uyNmjmCvN70FQRSfbhdtgk3ujw" XXXXXXXXXXX
Our Kibana plugin does not validate the JWT directly, it passes it to the ES plugin for inspection. If the ES plugin is able to resolve an identity from the claims, we log in the Kibana user.
So if I was you, I’d make my tests directly with cURL towards port 9200 (Elasticsearch) and wait for a 200 code as a positive test result.
I am using this:
signature_key: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9e1x7YRZg53A5zIJ0p2ZQ9yTrgPL
GIf4ntOk+4O2R2+ryIObueyenPXE92tYG1NlKjDNyJLc7tsxi0UUnyxpig==
-----END PUBLIC KEY-----
Hi Alessandro, thanks for pinging on this thread. It’s been a hectic week.
The first thing to try would be to remove the BEGIN/END lines and concatenate the key in the same line, wrapped by double quotes.
I have no InvalidKeyException, and the key gets correctly read into a ECPublicKeyImpl object.
However, given your JWT token example, the token can’t be validated. Which is not because it’s expired, but can’t really pass the validation given the public key (the first one in the array you linked):
// 20190115121104
// https://www.gstatic.com/iap/verify/public_key
{
"2nMJtw": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9e1x7YRZg53A5zIJ0p2ZQ9yTrgPL\nGIf4ntOk+4O2R2+ryIObueyenPXE92tYG1NlKjDNyJLc7tsxi0UUnyxpig==\n-----END PUBLIC KEY-----\n",
"6BEeoA": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElmi1hJdqtbvdX1INOf5B9dWvkydY\noowHUXiw8ELWzk/YHESNr8vXQoyOuLOEtLZeCQbFkeLUqxYp1sTArKNu/A==\n-----END PUBLIC KEY-----\n",
"FAWt5w": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8auUAdTS54HmUuIabrTKvWawxmbs\n81kdbzQMV/Tae0EhLgin8qnJ4lklJrxEzksXg5OtBuzE62DIj+CePN20Pg==\n-----END PUBLIC KEY-----\n",
"f9R3yg": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESqCmEwytkqG6tL6a2GTQGmSNI4jH\nYo5MeDUs7DpETVhCXXLIFrLg2sZvNqw8SGnnonLoeqgOSqRdjJBGt4I6jQ==\n-----END PUBLIC KEY-----\n",
"rTlk-g": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsm2pfkO5SYLW7vSv3e+XkKBH6SLr\nxPL5a0Z2MwWfJXZXFDQTWzyEwtIADMmS83hp1XqN57Vcu3Nmt7IvhnqR7g==\n-----END PUBLIC KEY-----\n"
}
I have had more luck with the second key listed in the JSON, using that, I get:
JWT expired at 2018-12-27T09:15:46Z. Current time: 2019-01-15T12:17:58Z, a difference of 1652532064 milliseconds. Allowed clock skew: 0 milliseconds.
So I really think it works, just a matter of selecting the right key, and formatting the key in a single long string without “—BEGIN…” and “—END”, and without the new lines.