You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/05/19 07:38:10 UTC
[GitHub] [apisix] vincentwc opened a new issue #4274: request help: it doesn't work when use consumer-restriction with jwt-auth
vincentwc opened a new issue #4274:
URL: https://github.com/apache/apisix/issues/4274
### Issue description
### Environment
Request help without environment information will be ignored or closed.
* apisix version (cmd: `apisix version`): 2.5
* OS (cmd: `uname -a`):
* OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`): nginx version: openresty/1.19.3.1
* etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API): 3.4.0
* apisix-dashboard version, if have: 2.5
* luarocks version, if the issue is about installation (cmd: `luarocks --version`): 3.4.0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on issue #4274: request help: it doesn't work when use consumer-restriction with jwt-auth
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on issue #4274:
URL: https://github.com/apache/apisix/issues/4274#issuecomment-844715246
I have not reproduced your problem locally, you should provide your steps to reproduce it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] vincentwc edited a comment on issue #4274: request help: it doesn't work when use consumer-restriction with jwt-auth
Posted by GitBox <gi...@apache.org>.
vincentwc edited a comment on issue #4274:
URL: https://github.com/apache/apisix/issues/4274#issuecomment-844726675
> I have not reproduced your problem locally, you should provide your steps to reproduce it.
i reproduced again.it seems like jwt-auth with "algorithm": "RS256" occured problem. how to get token when use jwt-auth whit RS256 algorithm?
Create consumer json show as below:
{
"username": "kerouac",
"plugins": {
"jwt-auth": {
"key": "user-key-key",
"public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\n……\n-----END RSA PRIVATE KEY-----",
"algorithm": "RS256"
}
}
}
Get token uri is apisix/plugin/jwt/sign?key=user-key-key and whit GET Method ,the response is failed to sign jwt ,
it could get response when use defalut algorithm but error use RS256
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on issue #4274: request help: it doesn't work when use consumer-restriction with jwt-auth
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on issue #4274:
URL: https://github.com/apache/apisix/issues/4274#issuecomment-844759207
> how to get token when use jwt-auth whit RS256 algorithm?
Please see here:
1. Create consumer
```shell
curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"username": "jwt_rs256",
"plugins": {
"jwt-auth": {
"key": "user-key02",
"public_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----",
"algorithm": "RS256"
}
}
}'
```
2. Get token
```shell
curl http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key02 -i
HTTP/1.1 200 OK
Date: Thu, 20 May 2021 06:45:44 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.5
eyJ0eXAiOiJKV1QiLCJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Gd3dEUVlKS29aSWh2Y05BUUVCQlFBRFN3QXdTQUpCQUtlYkR4bHZRTUd5RWVzQUwxcjFuSUpCa1NkcXUzSHJcbjdub3FcLzB1a2lacVZRTFNKUE1PdjBveFFTdXR2dkszaG9pYndHYWtET3phK3hSSVRCN2NzMmNFQ0F3RUFBUT09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0iXSwiYWxnIjoiUlMyNTYifQ.eyJleHAiOjE2MjE1Nzk1NDQsImtleSI6InVzZXIta2V5MDIifQ.U2dbWLzrwP6HLuCnu0ntkXI-82XlwAh5ayY5ig6YiqmVeeb8Kx-VsMfD1JSSN8pXntwGYCfYGP_AFSwyoJ--5A
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] vincentwc commented on issue #4274: request help: it doesn't work when use consumer-restriction with jwt-auth
Posted by GitBox <gi...@apache.org>.
vincentwc commented on issue #4274:
URL: https://github.com/apache/apisix/issues/4274#issuecomment-844765809
> > how to get token when use jwt-auth whit RS256 algorithm?
>
> Please see here:
>
> 1. Create consumer
>
> ```shell
> curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
> {
> "username": "jwt_rs256",
> "plugins": {
> "jwt-auth": {
> "key": "user-key02",
> "public_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----",
> "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----",
> "algorithm": "RS256"
> }
> }
> }'
> ```
>
> 1. Get token
>
> ```shell
> curl http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key02 -i
> HTTP/1.1 200 OK
> Date: Thu, 20 May 2021 06:45:44 GMT
> Content-Type: text/plain; charset=utf-8
> Transfer-Encoding: chunked
> Connection: keep-alive
> Server: APISIX/2.5
>
> eyJ0eXAiOiJKV1QiLCJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Gd3dEUVlKS29aSWh2Y05BUUVCQlFBRFN3QXdTQUpCQUtlYkR4bHZRTUd5RWVzQUwxcjFuSUpCa1NkcXUzSHJcbjdub3FcLzB1a2lacVZRTFNKUE1PdjBveFFTdXR2dkszaG9pYndHYWtET3phK3hSSVRCN2NzMmNFQ0F3RUFBUT09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0iXSwiYWxnIjoiUlMyNTYifQ.eyJleHAiOjE2MjE1Nzk1NDQsImtleSI6InVzZXIta2V5MDIifQ.U2dbWLzrwP6HLuCnu0ntkXI-82XlwAh5ayY5ig6YiqmVeeb8Kx-VsMfD1JSSN8pXntwGYCfYGP_AFSwyoJ--5A
> ```
Thanks, it's usefull when i usew you supplied public_key and private_key
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on issue #4274: request help: it doesn't work when use consumer-restriction with jwt-auth
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on issue #4274:
URL: https://github.com/apache/apisix/issues/4274#issuecomment-843922556
Okay, I will reproduce it later.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] vincentwc commented on issue #4274: request help: it doesn't work when use consumer-restriction with jwt-auth
Posted by GitBox <gi...@apache.org>.
vincentwc commented on issue #4274:
URL: https://github.com/apache/apisix/issues/4274#issuecomment-844726675
One, create consumer 1:
{
"username": "jack_jwt",
"desc" : "jack jwt hs256",
"plugins": {
"jwt-auth": {
"key": "user-key-jack",
"secret": "my-secret-key"
}
}
}
Two, create consumer 2:
{
"username": "jwt_rs256",
"desc" : "jack jwt rs256",
"plugins": {
"jwt-auth": {
"key": "user-key-rs256",
"public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\n……\n-----END RSA PRIVATE KEY-----",
"algorithm": "RS256"
}
}
}
Three, create route:
{
"desc": "my-product-demo-85",
"labels":{
"demo_env" : "prod",
"prod_env" : "prod"
},
"uri": "/product/hello",
"upstream": {
"type": "roundrobin",
"nodes": {
"10.255.249.3:8085": 1
}
}
}
Four, patch the route, add jwt-auth:
{
"plugins" : {
"jwt-auth": {}
}
}
Five,get jwt-auth token
{
"username": "jwt_rs256",
"plugins": {
"jwt-auth": {
"key": "user-key-rs256",
"public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\n……\n-----END RSA PRIVATE KEY-----",
"algorithm": "RS256"
}
}
}
Six: send request to product route and add step five's response Authorization info in headers, get product_route response info
Seven, add consumer-restriction plugin at product route,whitelist just add step one consumer name:
{
"plugins" : {
"jwt-auth": {},
"consumer-restriction" :{
"whitelist" : [
"jack_jwt"
]
}
}
}
then,send request to product route and add Authorization[step two],It's could get response,why ?
At step seven, i just set step one consumer name in whitelist but step two consumer is useful?
第七步:添加consumer-restriction插件并仅仅加入jack_jwt到白名单,但是jwt_rs256对应的token依然可以访问?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] vincentwc commented on issue #4274: request help: it doesn't work when use consumer-restriction with jwt-auth
Posted by GitBox <gi...@apache.org>.
vincentwc commented on issue #4274:
URL: https://github.com/apache/apisix/issues/4274#issuecomment-843923493
> Okay, I will reproduce it later.
thanks and hope you reply !
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] vincentwc edited a comment on issue #4274: request help: it doesn't work when use consumer-restriction with jwt-auth
Posted by GitBox <gi...@apache.org>.
vincentwc edited a comment on issue #4274:
URL: https://github.com/apache/apisix/issues/4274#issuecomment-844726675
One, create consumer 1:
{
"username": "jack_jwt",
"desc" : "jack jwt hs256",
"plugins": {
"jwt-auth": {
"key": "user-key-jack",
"secret": "my-secret-key"
}
}
}
Two, create consumer 2:
{
"username": "jwt_rs256",
"desc" : "jack jwt rs256",
"plugins": {
"jwt-auth": {
"key": "user-key-rs256",
"public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\n……\n-----END RSA PRIVATE KEY-----",
"algorithm": "RS256"
}
}
}
Three, create route:
{
"desc": "my-product-demo-85",
"labels":{
"demo_env" : "prod",
"prod_env" : "prod"
},
"uri": "/product/hello",
"upstream": {
"type": "roundrobin",
"nodes": {
"10.255.249.3:8085": 1
}
}
}
Four, patch the route, add jwt-auth:
{
"plugins" : {
"jwt-auth": {}
}
}
Five,get jwt-auth token by step two key : user-key-rs256
Six: send request to product route and add step five's response Authorization info in headers, get product_route response info
Seven, add consumer-restriction plugin at product route,whitelist just add step one consumer name:
{
"plugins" : {
"jwt-auth": {},
"consumer-restriction" :{
"whitelist" : [
"jack_jwt"
]
}
}
}
then,send request to product route and add Authorization[step two],It's could get response,why ?
At step seven, i just set step one consumer name in whitelist but step two consumer is useful?
第七步:添加consumer-restriction插件并仅仅加入jack_jwt到白名单,但是jwt_rs256对应的token依然可以访问?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] vincentwc closed issue #4274: request help: it doesn't work when use consumer-restriction with jwt-auth
Posted by GitBox <gi...@apache.org>.
vincentwc closed issue #4274:
URL: https://github.com/apache/apisix/issues/4274
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org