Jan using https://mkjwk.org/
I generated the following JWK

{

  "kty": "oct",
  "use": "sig",
  "kid": "solr",
  "k": 
"pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
  "alg": "HS256"
}

So I put the generated JWK into my solr server security.json file like this

{
  "authentication": {
    "class":"solr.JWTAuthPlugin",
        "blockUnknown": true,
        "jwk" : {
                "kty": "oct",
                "use": "sig",
                "kid": "solr",
                "k": 
"pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
                "alg": "HS256"
                }
  }
}

Then I went to https://jwt.io/ to generate the JWT using the value of
"k": 
"pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",

for the secret key

My JWT header
{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Secret key
pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ

Which generates the following encoded JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44


So I then tried to use the JWT encoded value in a curl command to Solr
as follows

curl -H "Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
http://localhost:8983/solr/admin/info/system

I get the error message

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 401 JWT validation failed</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/admin/info/system. Reason:
<pre>    JWT validation failed</pre></p>
</body>
</html>


Am I missing something in my security.json file ?








On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <jan....@cominvent.com> wrote:

> I think you are confusing JWK with the JWT token. JWK is only for defining
> the key, see https://mkjwk.org for an online JWK generator, you can
> choose HS256 as algorithm. Put the generated JWK in Solr's config and also
> use the generated key to sign your JWT. Then Solr should be able to
> validate the JWT.
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 10. sep. 2019 kl. 01:21 skrev Tyrone <tyrone....@gmail.com>:
> >
> > Jan
> >
> > Can my jwk object be something like
> >
> > {alg": "HS256", "typ": "JWT",
> >
> > "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
> >
> > “k" : "secret-key"}
> >
> > Where k is the JWT secret key?
> >
> >
> > Sent from my iPhone
> >
> >> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <jan....@cominvent.com> wrote:
> >>
> >> In your security.json, add a JWK matching your signing algorithm, using
> the “jwk” JSON key.
> >>
> >> Example:
> >> “jwk” : { "kty" : "oct", "kid" :
> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
> >>
> >> Of course you need to find a way to encode your particular secret in
> jwk format, there should be plenty of tools available for that. If you
> intend to use symmetric key in prod you have to configure solr so that
> security.json is not readable for anyone but the admin!
> >>
> >> Jan Høydahl
> >>
> >>> 9. sep. 2019 kl. 05:46 skrev Tyrone <tyrone....@gmail.com>:
> >>>
> >>> HS256
>
>

Reply via email to