JWT Auth0 Integration

[Florian Norbert Bepunkt]

We use auth0 as authentication provider for an project and are now evaluating SearchGuard. When a user logs in into our app, we store a jwt. Is it possible to use the same token to authenticate with our elasticsearch cluster via searchguard? If so how would i go about this?

Basically our cluster should grant read/write access to authenticated users.

[Florian Norbert Bepunkt]

ok, I basically figured out the auth0 part and setup configuration based on searchguard wiki. This might be a super dumb question now, but using the official elasticsearch.js client … how to I send the jwt token? Can someone please explain how this works?

Thank you.

[Jochen Kressin]

This is just a guess, but ... the JWT token is passed to Search Guard in an HTTP header field, the default being Authorization.

The header fields starts with "Bearer", then a whitespace, and the the actual JWT token, e.g:

Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImhyX2VtcGxveWVlIiwicm9sZXMiOiJociIsImlkIjpudWxsLCJpYXQiOjE0ODY4NTI1NDF9.1A6ircYWr4nCB1hEDMq-sLheG0ON_8ccRxNd1KlE03U

When instantiating the ES Client object, you can pass several configuration settings for the host, one of them is a field called headers:

headers

Object — An object describing the headers to send for every request to this node.

see here:

https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/host-reference.html

So, maybe you can try to use this header field to set the Authorization header with the JWT token.

[Florian Norbert Bepunkt]

Thank you. I'm having trouble getting this setup. I use this docker image with es and searcguard: https://github.com/Khezen/docker-elasticsearch

When accessing the cluster via postman with the specified auth header  (Authorization: Bearer + my generated token), I only get an Unauthorized response. Basically the docker image should work, I can configure a normal user auth and this works.

In my sg_config.yml I configured JWT according to you docs:

searchguard:
  dynamic:
    authc:
      jwt_auth_domain:
        enabled: true
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "xxxxx...having my base encoded secret here"
            jwt_header: "Authorization"
            jwt_url_parameter: null
            subject_key: 'user'
            roles_key: 'role'
        authentication_backend:
      I    type: noop

Any ideas?

[SG]

I guess that the JWT module is not installed (Note: this is a commercial feature and if you use it in production you need to obtain a license)

See https://github.com/floragunncom/search-guard-authbackend-jwt and https://github.com/floragunncom/search-guard-authbackend-jwt/wiki

> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/43a6debe-83ef-4f99-be4f-e26ddfcce7c2%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jochen Kressin]

If the JWT module is installed correctly and enabled in sg_config, you should see the following message printed on stdout when starting the nodes:

******************************************************

Search Guard JWT (JSON Web Token) is not free software

for commercial use in production.

You have to obtain a license if you

use it in production.

******************************************************

Can you please check if this is the case? In order to install the module, you need to download the jar (with dependencies) and place it in the plugins/search-guard-5 folder.

Please see here for the download link(s):

https://github.com/floragunncom/search-guard-docs/blob/master/jwt.md

[Florian Norbert Bepunkt]

Okay, I installed the plugin and it's working now. One last question: In the docs it reads that you can chain different authorization methods. Is it also possible to use one or the other?

For exaple I have Basic Auth and JWT, so I can authenticate using either or. But when I set up both methods I need to use both together.

[Jochen Kressin]

Well, the docs might not be clear enough here. It's not really chaining in the sense that both authentication methods are executed all the time. It's more like you described/want: If the first method fails, the second is executed, until one authentication method succeeds. Kind of "first successful authenticator wins" 

Regarding using JWT and Basic Auth together, you need to pay attention to the order and the challenge flag. For example, a working scenario would be to have JWT as the first authenticator, and then Basic Auth with challenge set to true. Result would be: If there is no valid JWT token in the request, the Basic Auth dialog will pop up and challenge the user for credentials.

The other way round would not work. If you have Basic Auth with challenge set to true as the first authenticator, then the Basic Auth dialogue would pop up until you entered valid credentials, and the JWT module is never called. So, the actual configuration highly depends on the use case you want to implement.

[Jochen Kressin]

Forgot to mention: Please use different HTTP header fields for Basic Auth and JWT. You can configure the header field for JWT with the "jwt_header" config key.

[Florian Norbert Bepunkt]

Okay, thank you. I see the message now.