I know this has nothing to do with the issue at hand but if you have a public
facing solr instance you have much bigger issues.
> On Sep 19, 2019, at 10:16 PM, Tyrone Tse <tyrone...@hotmail.com> wrote:
>
> I finally got JWT Authentication working on Solr 8.1.1.
> This is my security.json file contents
> {
> "authentication":{
> "class":"solr.JWTAuthPlugin",
> "jwk":{
> "kty":"oct",
> "use":"sig",
> "kid":"k1",
>
> "k":"xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ",
> "alg":"HS256"
> },
> "aud":"Solr"
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[
> {
> "name":"open_select",
> "path":"/select/*",
> "role":null
> },
> {
> "name":"all-admin",
> "collection":null,
> "path":"/*",
> "role":"admin"
> },
> {
> "name":"update",
> "role":"solr-update"
> }
> ],
> "user-role":{
> "admin":"solr-update"
> }
> }
> }
>
> I used the web site to generate the JWK key.
>
> So I am using the "k" value from the JWK to sign the JWT token.
>
> Initially, I used website
> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>
> to generate the JWT and sign it with the value
> xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ
>
> The header is
> {
> "alg": "HS256",
> "typ": "JWT"
> }
>
> and the payload is
>
> {
> "sub": "admin",
> "aud": "Solr",
> "exp": 9916239022
> }
>
> This generates the JWT key of
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6IlNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9._H1qeNvlpIOn3X9IpDG0QiRWnEDXITMhZm1NMfuocSc
>
> So when I use this JWT token generated https://jwt.io/ JWT authentication
> is working, and I can authenticate as the user admin and Post data to the
> Solr collections/cores.
>
> Now we have decided to get the JWT token generated using Java before we
> authenticate as the user admin to Post data to Solr, and to have a
> calculated expiration date
>
> Here is the Java Snippet for generating the JWT token
>
> import io.jsonwebtoken.Jwts;
> import io.jsonwebtoken.SignatureAlgorithm;
> ...
> ...
> String
> key="xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ";
> Calendar cal =Calendar.getInstance();
> Date issueAt = cal.getTime();
> cal.add(Calendar.MINUTE,60);
> Date expDate = cal.getTime();
> String jws = Jwts.builder().
> setSubject("admin")
> .setAudience("Solr")
> .setExpiration(expDate)
> .signWith(SignatureAlgorithm.HS256,key).compact();
> System.out.println(jws);
>
> This does not generate a valid JWT token, when I use it I am getting the
> error message
> <html>
>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
> <title>Error 401 Signature invalid</title>
> </head>
>
> <body>
> <h2>HTTP ERROR 401</h2>
> <p>Problem accessing /solr/stores/update. Reason:
> <pre> Signature invalid</pre>
> </p>
> </body>
>
> </html>
>
> I tried generating the JWT token using JavaScript from this codepen
> https://codepen.io/tyrone-tse/pen/MWgzExB
>
> and it too generates an invalid JWT key.
>
> How come it works when the JWT is generated from
> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>
>
>
>
>
>
>
>> On Sat, Sep 14, 2019 at 9:06 AM Jan Høydahl <jan....@cominvent.com> wrote:
>>
>> See answer in other thread. JWT works for 8.1 or later, don’t attempt it
>> in 7.x.
>>
>> You could try to turn on debug logging for or.apache.solr.security to get
>> more logging.
>>
>> Jan Høydahl
>>
>>> 13. sep. 2019 kl. 00:24 skrev Tyrone Tse <tyrone...@hotmail.com>:
>>>
>>> Jan
>>>
>>> I tried using the JWT Plugin https://github.com/cominvent/solr-auth-jwt
>>>
>>> If my security.json file is
>>>
>>> {
>>> "authentication": {
>>> "class":"com.cominvent.solr.JWTAuthPlugin",
>>> "jwk" : {
>>> "kty": "oct",
>>> "use": "sig",
>>> "kid": "solr",
>>> "k":
>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>> "alg": "HS256"
>>> }
>>> }
>>> }
>>>
>>> And my JWT token has the properties Header {
>>> "alg": "HS256",
>>> "typ": "JWT"
>>> } Payload {
>>> "sub": "admin",
>>> "name": "admin",
>>> "iat": 1516239022
>>> } What other parameters do I need to add to the security.json file to
>>> secure Solr 7.2 ? I don't want anyone being able to access it without
>> using
>>>
>>> curl -H "Authorization : Bearer <jwt-token>"
>>> http://localhost:8983/solr/admin/info
>>>
>>>
>>>
>>> Thanks Tyrone
>>>
>>>
>>>
>>>> On Tue, Sep 10, 2019 at 2:18 PM Tyrone Tse <tyrone...@hotmail.com>
>> wrote:
>>>>
>>>> All I could see in the solr.log was ( could it be the java version ?)
>>>>
>>>>
>> main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
>>>> Corporation, os=Mac OS X, java.version=1.8.0_60,
>> java.vm.version=25.60-b23,
>>>> lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
>>>> source=flush, os.version=10.12.6,
>>>>
>> timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
>>>> 2019-09-10 19:16:02.312 WARN (qtp875016237-24) [ ]
>>>> o.a.s.s.JWTAuthPlugin Authentication failed.
>>>>
>>>> On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <jan....@cominvent.com>
>>>> wrote:
>>>>
>>>>> Please check the error message in solr.log on the server side and paste
>>>>> that here. Could be a bug 🕷
>>>>>
>>>>> Jan Høydahl
>>>>>
>>>>>> 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <tyrone...@hotmail.com>:
>>>>>>
>>>>>> Jan using https://mkjwk.org/
>>>>>> I generated the following JWK
>>>>>>
>>>>>> {
>>>>>>
>>>>>> "kty": "oct",
>>>>>> "use": "sig",
>>>>>> "kid": "solr",
>>>>>> "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>> "alg": "HS256"
>>>>>> }
>>>>>>
>>>>>> So I put the generated JWK into my solr server security.json file like
>>>>> this
>>>>>>
>>>>>> {
>>>>>> "authentication": {
>>>>>> "class":"solr.JWTAuthPlugin",
>>>>>> "blockUnknown": true,
>>>>>> "jwk" : {
>>>>>> "kty": "oct",
>>>>>> "use": "sig",
>>>>>> "kid": "solr",
>>>>>> "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>> "alg": "HS256"
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> Then I went to https://jwt.io/ to generate the JWT using the value of
>>>>>> "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>
>>>>>> for the secret key
>>>>>>
>>>>>> My JWT header
>>>>>> {
>>>>>> "alg": "HS256",
>>>>>> "typ": "JWT"
>>>>>> }
>>>>>>
>>>>>> Payload
>>>>>>
>>>>>> {
>>>>>> "sub": "1234567890",
>>>>>> "name": "John Doe",
>>>>>> "iat": 1516239022
>>>>>> }
>>>>>>
>>>>>> Secret key
>>>>>>
>>>>>
>> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
>>>>>>
>>>>>> Which generates the following encoded JWT
>>>>>>
>>>>>
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
>>>>>>
>>>>>>
>>>>>> So I then tried to use the JWT encoded value in a curl command to Solr
>>>>>> as follows
>>>>>>
>>>>>> curl -H "Authorization: Bearer
>>>>>>
>>>>>
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
>>>>>> http://localhost:8983/solr/admin/info/system
>>>>>>
>>>>>> I get the error message
>>>>>>
>>>>>> <html>
>>>>>> <head>
>>>>>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>>>>>> <title>Error 401 JWT validation failed</title>
>>>>>> </head>
>>>>>> <body><h2>HTTP ERROR 401</h2>
>>>>>> <p>Problem accessing /solr/admin/info/system. Reason:
>>>>>> <pre> JWT validation failed</pre></p>
>>>>>> </body>
>>>>>> </html>
>>>>>>
>>>>>>
>>>>>> Am I missing something in my security.json file ?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <jan....@cominvent.com>
>>>>> wrote:
>>>>>>>
>>>>>>> I think you are confusing JWK with the JWT token. JWK is only for
>>>>> defining
>>>>>>> the key, see https://mkjwk.org for an online JWK generator, you can
>>>>>>> choose HS256 as algorithm. Put the generated JWK in Solr's config and
>>>>> also
>>>>>>> use the generated key to sign your JWT. Then Solr should be able to
>>>>>>> validate the JWT.
>>>>>>>
>>>>>>> --
>>>>>>> Jan Høydahl, search solution architect
>>>>>>> Cominvent AS - www.cominvent.com
>>>>>>>
>>>>>>>> 10. sep. 2019 kl. 01:21 skrev Tyrone <tyrone....@gmail.com>:
>>>>>>>>
>>>>>>>> Jan
>>>>>>>>
>>>>>>>> Can my jwk object be something like
>>>>>>>>
>>>>>>>> {alg": "HS256", "typ": "JWT",
>>>>>>>>
>>>>>>>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
>>>>>>>>
>>>>>>>> “k" : "secret-key"}
>>>>>>>>
>>>>>>>> Where k is the JWT secret key?
>>>>>>>>
>>>>>>>>
>>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <jan....@cominvent.com>
>>>>> wrote:
>>>>>>>>>
>>>>>>>>> In your security.json, add a JWK matching your signing algorithm,
>>>>> using
>>>>>>> the “jwk” JSON key.
>>>>>>>>>
>>>>>>>>> Example:
>>>>>>>>> “jwk” : { "kty" : "oct", "kid" :
>>>>>>> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
>>>>>>> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>>>>>>>>>
>>>>>>>>> Of course you need to find a way to encode your particular secret
>> in
>>>>>>> jwk format, there should be plenty of tools available for that. If
>> you
>>>>>>> intend to use symmetric key in prod you have to configure solr so
>> that
>>>>>>> security.json is not readable for anyone but the admin!
>>>>>>>>>
>>>>>>>>> Jan Høydahl
>>>>>>>>>
>>>>>>>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <tyrone....@gmail.com>:
>>>>>>>>>>
>>>>>>>>>> HS256
>>>>>>>
>>>>>>>
>>>>>
>>>>
>>
