I finally got JWT Authentication working on Solr 8.1.1.
This is my security.json file contents
{
"authentication":{
"class":"solr.JWTAuthPlugin",
"jwk":{
"kty":"oct",
"use":"sig",
"kid":"k1",
"k":"xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ",
"alg":"HS256"
},
"aud":"Solr"
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{
"name":"open_select",
"path":"/select/*",
"role":null
},
{
"name":"all-admin",
"collection":null,
"path":"/*",
"role":"admin"
},
{
"name":"update",
"role":"solr-update"
}
],
"user-role":{
"admin":"solr-update"
}
}
}
I used the web site to generate the JWK key.
So I am using the "k" value from the JWK to sign the JWT token.
Initially, I used website
https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
to generate the JWT and sign it with the value
xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ
The header is
{
"alg": "HS256",
"typ": "JWT"
}
and the payload is
{
"sub": "admin",
"aud": "Solr",
"exp": 9916239022
}
This generates the JWT key of
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6IlNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9._H1qeNvlpIOn3X9IpDG0QiRWnEDXITMhZm1NMfuocSc
So when I use this JWT token generated https://jwt.io/ JWT authentication
is working, and I can authenticate as the user admin and Post data to the
Solr collections/cores.
Now we have decided to get the JWT token generated using Java before we
authenticate as the user admin to Post data to Solr, and to have a
calculated expiration date
Here is the Java Snippet for generating the JWT token
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
...
...
String
key="xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ";
Calendar cal =Calendar.getInstance();
Date issueAt = cal.getTime();
cal.add(Calendar.MINUTE,60);
Date expDate = cal.getTime();
String jws = Jwts.builder().
setSubject("admin")
.setAudience("Solr")
.setExpiration(expDate)
.signWith(SignatureAlgorithm.HS256,key).compact();
System.out.println(jws);
This does not generate a valid JWT token, when I use it I am getting the
error message
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<title>Error 401 Signature invalid</title>
</head>
<body>
<h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/stores/update. Reason:
<pre> Signature invalid</pre>
</p>
</body>
</html>
I tried generating the JWT token using JavaScript from this codepen
https://codepen.io/tyrone-tse/pen/MWgzExB
and it too generates an invalid JWT key.
How come it works when the JWT is generated from
https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
On Sat, Sep 14, 2019 at 9:06 AM Jan Høydahl <jan....@cominvent.com> wrote:
> See answer in other thread. JWT works for 8.1 or later, don’t attempt it
> in 7.x.
>
> You could try to turn on debug logging for or.apache.solr.security to get
> more logging.
>
> Jan Høydahl
>
> > 13. sep. 2019 kl. 00:24 skrev Tyrone Tse <tyrone...@hotmail.com>:
> >
> > Jan
> >
> > I tried using the JWT Plugin https://github.com/cominvent/solr-auth-jwt
> >
> > If my security.json file is
> >
> > {
> > "authentication": {
> > "class":"com.cominvent.solr.JWTAuthPlugin",
> > "jwk" : {
> > "kty": "oct",
> > "use": "sig",
> > "kid": "solr",
> > "k":
> >
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
> > "alg": "HS256"
> > }
> > }
> > }
> >
> > And my JWT token has the properties Header {
> > "alg": "HS256",
> > "typ": "JWT"
> > } Payload {
> > "sub": "admin",
> > "name": "admin",
> > "iat": 1516239022
> > } What other parameters do I need to add to the security.json file to
> > secure Solr 7.2 ? I don't want anyone being able to access it without
> using
> >
> > curl -H "Authorization : Bearer <jwt-token>"
> > http://localhost:8983/solr/admin/info
> >
> >
> >
> > Thanks Tyrone
> >
> >
> >
> >> On Tue, Sep 10, 2019 at 2:18 PM Tyrone Tse <tyrone...@hotmail.com>
> wrote:
> >>
> >> All I could see in the solr.log was ( could it be the java version ?)
> >>
> >>
> main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
> >> Corporation, os=Mac OS X, java.version=1.8.0_60,
> java.vm.version=25.60-b23,
> >> lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
> >> source=flush, os.version=10.12.6,
> >>
> timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
> >> 2019-09-10 19:16:02.312 WARN (qtp875016237-24) [ ]
> >> o.a.s.s.JWTAuthPlugin Authentication failed.
> >>
> >> On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <jan....@cominvent.com>
> >> wrote:
> >>
> >>> Please check the error message in solr.log on the server side and paste
> >>> that here. Could be a bug 🕷
> >>>
> >>> Jan Høydahl
> >>>
> >>>> 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <tyrone...@hotmail.com>:
> >>>>
> >>>> Jan using https://mkjwk.org/
> >>>> I generated the following JWK
> >>>>
> >>>> {
> >>>>
> >>>> "kty": "oct",
> >>>> "use": "sig",
> >>>> "kid": "solr",
> >>>> "k":
> >>>
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
> >>>> "alg": "HS256"
> >>>> }
> >>>>
> >>>> So I put the generated JWK into my solr server security.json file like
> >>> this
> >>>>
> >>>> {
> >>>> "authentication": {
> >>>> "class":"solr.JWTAuthPlugin",
> >>>> "blockUnknown": true,
> >>>> "jwk" : {
> >>>> "kty": "oct",
> >>>> "use": "sig",
> >>>> "kid": "solr",
> >>>> "k":
> >>>
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
> >>>> "alg": "HS256"
> >>>> }
> >>>> }
> >>>> }
> >>>>
> >>>> Then I went to https://jwt.io/ to generate the JWT using the value of
> >>>> "k":
> >>>
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
> >>>>
> >>>> for the secret key
> >>>>
> >>>> My JWT header
> >>>> {
> >>>> "alg": "HS256",
> >>>> "typ": "JWT"
> >>>> }
> >>>>
> >>>> Payload
> >>>>
> >>>> {
> >>>> "sub": "1234567890",
> >>>> "name": "John Doe",
> >>>> "iat": 1516239022
> >>>> }
> >>>>
> >>>> Secret key
> >>>>
> >>>
> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
> >>>>
> >>>> Which generates the following encoded JWT
> >>>>
> >>>
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
> >>>>
> >>>>
> >>>> So I then tried to use the JWT encoded value in a curl command to Solr
> >>>> as follows
> >>>>
> >>>> curl -H "Authorization: Bearer
> >>>>
> >>>
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
> >>>> http://localhost:8983/solr/admin/info/system
> >>>>
> >>>> I get the error message
> >>>>
> >>>> <html>
> >>>> <head>
> >>>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> >>>> <title>Error 401 JWT validation failed</title>
> >>>> </head>
> >>>> <body><h2>HTTP ERROR 401</h2>
> >>>> <p>Problem accessing /solr/admin/info/system. Reason:
> >>>> <pre> JWT validation failed</pre></p>
> >>>> </body>
> >>>> </html>
> >>>>
> >>>>
> >>>> Am I missing something in my security.json file ?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <jan....@cominvent.com>
> >>> wrote:
> >>>>>
> >>>>> I think you are confusing JWK with the JWT token. JWK is only for
> >>> defining
> >>>>> the key, see https://mkjwk.org for an online JWK generator, you can
> >>>>> choose HS256 as algorithm. Put the generated JWK in Solr's config and
> >>> also
> >>>>> use the generated key to sign your JWT. Then Solr should be able to
> >>>>> validate the JWT.
> >>>>>
> >>>>> --
> >>>>> Jan Høydahl, search solution architect
> >>>>> Cominvent AS - www.cominvent.com
> >>>>>
> >>>>>> 10. sep. 2019 kl. 01:21 skrev Tyrone <tyrone....@gmail.com>:
> >>>>>>
> >>>>>> Jan
> >>>>>>
> >>>>>> Can my jwk object be something like
> >>>>>>
> >>>>>> {alg": "HS256", "typ": "JWT",
> >>>>>>
> >>>>>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
> >>>>>>
> >>>>>> “k" : "secret-key"}
> >>>>>>
> >>>>>> Where k is the JWT secret key?
> >>>>>>
> >>>>>>
> >>>>>> Sent from my iPhone
> >>>>>>
> >>>>>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <jan....@cominvent.com>
> >>> wrote:
> >>>>>>>
> >>>>>>> In your security.json, add a JWK matching your signing algorithm,
> >>> using
> >>>>> the “jwk” JSON key.
> >>>>>>>
> >>>>>>> Example:
> >>>>>>> “jwk” : { "kty" : "oct", "kid" :
> >>>>> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
> >>>>> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
> >>>>>>>
> >>>>>>> Of course you need to find a way to encode your particular secret
> in
> >>>>> jwk format, there should be plenty of tools available for that. If
> you
> >>>>> intend to use symmetric key in prod you have to configure solr so
> that
> >>>>> security.json is not readable for anyone but the admin!
> >>>>>>>
> >>>>>>> Jan Høydahl
> >>>>>>>
> >>>>>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <tyrone....@gmail.com>:
> >>>>>>>>
> >>>>>>>> HS256
> >>>>>
> >>>>>
> >>>
> >>
>
