Jan using https://mkjwk.org/ I generated the following JWK
{ "kty": "oct", "use": "sig", "kid": "solr", "k": "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ", "alg": "HS256" } So I put the generated JWK into my solr server security.json file like this { "authentication": { "class":"solr.JWTAuthPlugin", "blockUnknown": true, "jwk" : { "kty": "oct", "use": "sig", "kid": "solr", "k": "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ", "alg": "HS256" } } } Then I went to https://jwt.io/ to generate the JWT using the value of "k": "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ", for the secret key My JWT header { "alg": "HS256", "typ": "JWT" } Payload { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } Secret key pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ Which generates the following encoded JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44 So I then tried to use the JWT encoded value in a curl command to Solr as follows curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44" http://localhost:8983/solr/admin/info/system I get the error message <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 401 JWT validation failed</title> </head> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing /solr/admin/info/system. Reason: <pre> JWT validation failed</pre></p> </body> </html> Am I missing something in my security.json file ? On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <jan....@cominvent.com> wrote: > I think you are confusing JWK with the JWT token. JWK is only for defining > the key, see https://mkjwk.org for an online JWK generator, you can > choose HS256 as algorithm. Put the generated JWK in Solr's config and also > use the generated key to sign your JWT. Then Solr should be able to > validate the JWT. > > -- > Jan Høydahl, search solution architect > Cominvent AS - www.cominvent.com > > > 10. sep. 2019 kl. 01:21 skrev Tyrone <tyrone....@gmail.com>: > > > > Jan > > > > Can my jwk object be something like > > > > {alg": "HS256", "typ": "JWT", > > > > "sub": "1234567890", "name": "John Doe", "iat": 1516239022, > > > > “k" : "secret-key"} > > > > Where k is the JWT secret key? > > > > > > Sent from my iPhone > > > >> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <jan....@cominvent.com> wrote: > >> > >> In your security.json, add a JWK matching your signing algorithm, using > the “jwk” JSON key. > >> > >> Example: > >> “jwk” : { "kty" : "oct", "kid" : > "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" : > "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" } > >> > >> Of course you need to find a way to encode your particular secret in > jwk format, there should be plenty of tools available for that. If you > intend to use symmetric key in prod you have to configure solr so that > security.json is not readable for anyone but the admin! > >> > >> Jan Høydahl > >> > >>> 9. sep. 2019 kl. 05:46 skrev Tyrone <tyrone....@gmail.com>: > >>> > >>> HS256 > >