You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/06/14 14:48:58 UTC
[GitHub] [couchdb] vd2org opened a new issue #2947: JWT settings not working
vd2org opened a new issue #2947:
URL: https://github.com/apache/couchdb/issues/2947
Broken JWT settings in *.ini file.
## Description
I'm trying to config couch to accept different hmac-keys depended on their names but it not work as described in documentation. Only `_default` key is accepting and any other is ignoring.
## Steps to Reproduce
Add following config options to ini-file:
```
[jwt_keys]
; hmac:_default = aGVsbG8= # base64-encoded form of "hello"
hmac:foo = aGVsbG8=
```
Try to perform request to server with key with `sub=foo`:
```
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJraWQiOiJobWFjIiwiaWF0IjoxNTkyMTM0OTI1LCJleHAiOjE1OTUxMzQ5MjUsInN1YiI6ImZvbyJ9.tiGzT7VfUY_oIHK-bKUER6hH5sUFoJ4VVpiwR26qTew
```
Request will be rejected.
## Expected Behaviour
Accepted request.
## Your Environment
Official Docker image
* CouchDB version used: 3.1
* Operating system and version: Docker under Linux
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] PhamMinhNgoc edited a comment on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
PhamMinhNgoc edited a comment on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647159650
in your case, you can use multi scret key and alg (hmac or rsa):
hmac: foo= aGVsbG8=
hmac:bar= aGVsbG8y
and in jwt token, you need set kid attribute"kid":"foo" or "kid":"bar" on header token for using hmac secret key for the corresponding .
example:
token header:
> "alg":"HS256"
> "kid": "foo"
token payload:
> {
> "iat": 1592134925,
> "exp": 1595134925,
> "sub": "replace with your username in your database"
> }
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] PhamMinhNgoc commented on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
PhamMinhNgoc commented on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-646280200
it's working with me, i use docker image for this. you can try:
1. i config jwt secret key in file default.ini
2. config authentication handler in file path: /opt/couchdb/default.d/*.ini
> authentication_handlers = {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, jwt_authentication_handler}
you can use more than one secret key, if only one, "kid" attribute will indicate the key you use to validate that jwt code is valid or you can use the default key.
> hmac: _default = aGVsbG8=
The sub attribute indicates who you are authenticating.
3. restart couchdb and try again.
**Result:**
my jwt token:
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEiLCJleHAiOjE1OTI2MTEyMDB9.Y9jNgSeSBl54V2MHg1hXhivyZsdXTeiAVJR2DSlF6LQ
hope help you!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] PhamMinhNgoc commented on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
PhamMinhNgoc commented on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647159650
in your case, you can use multi scret key and alg (hmac or rsa):
hmac: foo= aGVsbG8=
hmac:bar= aGVsbG8y
and in jwt token, you need set kid claim "kid":"foo" or "kid":"bar" for using hmac secret key for the corresponding .
example:
> {
> "kid": "foo",
> "iat": 1592134925,
> "exp": 1595134925,
> "sub": "<replace with your username>"
> }
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] PhamMinhNgoc edited a comment on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
PhamMinhNgoc edited a comment on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647159650
in your case, you can use multi scret key and alg (hmac or rsa):
hmac: foo= aGVsbG8=
hmac:bar= aGVsbG8y
and in jwt token, you need set kid claim "kid":"foo" or "kid":"bar" for using hmac secret key for the corresponding .
example:
> {
> "kid": "foo",
> "iat": 1592134925,
> "exp": 1595134925,
> "sub": "replace with your username in your database"
> }
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] vd2org commented on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
vd2org commented on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647442807
Yeah. And it does not work. CouchDB ignoring `kid` field at all.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] vd2org commented on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
vd2org commented on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647092604
Not exactly the same situation. I talked about the **sub** field and the ability to use more than one JWT secret at a time.
To reproduce my case, you can rename **_default** paremeter in the config and see what happens.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] vd2org edited a comment on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
vd2org edited a comment on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647092604
Not exactly the same situation. I talked about the `sub` field and the ability to use more than one JWT secret at a time.
To reproduce my case, you can rename `_default` paremeter in the config and see what happens.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] PhamMinhNgoc edited a comment on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
PhamMinhNgoc edited a comment on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647159650
in your case, you can use multi scret key and alg (hmac or rsa):
hmac: foo= aGVsbG8=
hmac:bar= aGVsbG8y
and in jwt token, you need set kid claim "kid":"foo" or "kid":"bar" for using hmac secret key for the corresponding .
example:
> {
> "kid": "foo",
> "iat": 1592134925,
> "exp": 1595134925,
> "sub": "replace with your username"
> }
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] vd2org removed a comment on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
vd2org removed a comment on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647442807
Yep. And it does not work. CouchDB ignoring `kid` field at all.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] vd2org edited a comment on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
vd2org edited a comment on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647442807
Yep. And it does not work. CouchDB ignoring `kid` field at all.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] vd2org closed issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
vd2org closed issue #2947:
URL: https://github.com/apache/couchdb/issues/2947
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] vd2org edited a comment on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
vd2org edited a comment on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647457696
Heh, you're right. I tried to put the `kid` field in the payload instead of the header.
Fine! It works well now!
Sorry to waste your time and thanks for the help!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] PhamMinhNgoc edited a comment on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
PhamMinhNgoc edited a comment on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647159650
in your case, you can use multi scret key and alg (hmac or rsa):
hmac: foo= aGVsbG8=
hmac:bar= aGVsbG8y
and in jwt token, you need set kid attribute"kid":"foo" or "kid":"bar" on header token for using hmac secret key for the corresponding .
example:
token header:
> "alg":"HS256"
> "kid": "foo"
token payload:
> {
> "iat": 1592134925,
> "exp": 1595134925,
> "sub": "replace with your username in your database"
> }
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] vd2org commented on issue #2947: JWT settings not working
Posted by GitBox <gi...@apache.org>.
vd2org commented on issue #2947:
URL: https://github.com/apache/couchdb/issues/2947#issuecomment-647457696
Heh, you're right. I tried to put the `kid` field in the payload instead of the header. Sorry to waste your time and thanks for the help!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org