Of course the secret key is just for my local development solr instance 🙄
> On Sep 19, 2019, at 10:35 PM, Dave <hastings.recurs...@gmail.com> wrote:
>
> I know this has nothing to do with the issue at hand but if you have a public
> facing solr instance you have much bigger issues.
>
>> On Sep 19, 2019, at 10:16 PM, Tyrone Tse <tyrone...@hotmail.com> wrote:
>>
>> I finally got JWT Authentication working on Solr 8.1.1.
>> This is my security.json file contents
>> {
>> "authentication":{
>> "class":"solr.JWTAuthPlugin",
>> "jwk":{
>> "kty":"oct",
>> "use":"sig",
>> "kid":"k1",
>>
>> "k":"xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ",
>> "alg":"HS256"
>> },
>> "aud":"Solr"
>> },
>> "authorization":{
>> "class":"solr.RuleBasedAuthorizationPlugin",
>> "permissions":[
>> {
>> "name":"open_select",
>> "path":"/select/*",
>> "role":null
>> },
>> {
>> "name":"all-admin",
>> "collection":null,
>> "path":"/*",
>> "role":"admin"
>> },
>> {
>> "name":"update",
>> "role":"solr-update"
>> }
>> ],
>> "user-role":{
>> "admin":"solr-update"
>> }
>> }
>> }
>>
>> I used the web site to generate the JWK key.
>>
>> So I am using the "k" value from the JWK to sign the JWT token.
>>
>> Initially, I used website
>> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>>
>> to generate the JWT and sign it with the value
>> xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ
>>
>> The header is
>> {
>> "alg": "HS256",
>> "typ": "JWT"
>> }
>>
>> and the payload is
>>
>> {
>> "sub": "admin",
>> "aud": "Solr",
>> "exp": 9916239022
>> }
>>
>> This generates the JWT key of
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6IlNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9._H1qeNvlpIOn3X9IpDG0QiRWnEDXITMhZm1NMfuocSc
>>
>> So when I use this JWT token generated https://jwt.io/ JWT authentication
>> is working, and I can authenticate as the user admin and Post data to the
>> Solr collections/cores.
>>
>> Now we have decided to get the JWT token generated using Java before we
>> authenticate as the user admin to Post data to Solr, and to have a
>> calculated expiration date
>>
>> Here is the Java Snippet for generating the JWT token
>>
>> import io.jsonwebtoken.Jwts;
>> import io.jsonwebtoken.SignatureAlgorithm;
>> ...
>> ...
>> String
>> key="xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ";
>> Calendar cal =Calendar.getInstance();
>> Date issueAt = cal.getTime();
>> cal.add(Calendar.MINUTE,60);
>> Date expDate = cal.getTime();
>> String jws = Jwts.builder().
>> setSubject("admin")
>> .setAudience("Solr")
>> .setExpiration(expDate)
>> .signWith(SignatureAlgorithm.HS256,key).compact();
>> System.out.println(jws);
>>
>> This does not generate a valid JWT token, when I use it I am getting the
>> error message
>> <html>
>>
>> <head>
>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
>> <title>Error 401 Signature invalid</title>
>> </head>
>>
>> <body>
>> <h2>HTTP ERROR 401</h2>
>> <p>Problem accessing /solr/stores/update. Reason:
>> <pre> Signature invalid</pre>
>> </p>
>> </body>
>>
>> </html>
>>
>> I tried generating the JWT token using JavaScript from this codepen
>> https://codepen.io/tyrone-tse/pen/MWgzExB
>>
>> and it too generates an invalid JWT key.
>>
>> How come it works when the JWT is generated from
>> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>>
>>
>>
>>
>>
>>
>>
>>> On Sat, Sep 14, 2019 at 9:06 AM Jan Høydahl <jan....@cominvent.com> wrote:
>>>
>>> See answer in other thread. JWT works for 8.1 or later, don’t attempt it
>>> in 7.x.
>>>
>>> You could try to turn on debug logging for or.apache.solr.security to get
>>> more logging.
>>>
>>> Jan Høydahl
>>>
>>>> 13. sep. 2019 kl. 00:24 skrev Tyrone Tse <tyrone...@hotmail.com>:
>>>>
>>>> Jan
>>>>
>>>> I tried using the JWT Plugin https://github.com/cominvent/solr-auth-jwt
>>>>
>>>> If my security.json file is
>>>>
>>>> {
>>>> "authentication": {
>>>> "class":"com.cominvent.solr.JWTAuthPlugin",
>>>> "jwk" : {
>>>> "kty": "oct",
>>>> "use": "sig",
>>>> "kid": "solr",
>>>> "k":
>>>>
>>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>> "alg": "HS256"
>>>> }
>>>> }
>>>> }
>>>>
>>>> And my JWT token has the properties Header {
>>>> "alg": "HS256",
>>>> "typ": "JWT"
>>>> } Payload {
>>>> "sub": "admin",
>>>> "name": "admin",
>>>> "iat": 1516239022
>>>> } What other parameters do I need to add to the security.json file to
>>>> secure Solr 7.2 ? I don't want anyone being able to access it without
>>> using
>>>>
>>>> curl -H "Authorization : Bearer <jwt-token>"
>>>> http://localhost:8983/solr/admin/info
>>>>
>>>>
>>>>
>>>> Thanks Tyrone
>>>>
>>>>
>>>>
>>>>> On Tue, Sep 10, 2019 at 2:18 PM Tyrone Tse <tyrone...@hotmail.com>
>>> wrote:
>>>>>
>>>>> All I could see in the solr.log was ( could it be the java version ?)
>>>>>
>>>>>
>>> main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
>>>>> Corporation, os=Mac OS X, java.version=1.8.0_60,
>>> java.vm.version=25.60-b23,
>>>>> lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
>>>>> source=flush, os.version=10.12.6,
>>>>>
>>> timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
>>>>> 2019-09-10 19:16:02.312 WARN (qtp875016237-24) [ ]
>>>>> o.a.s.s.JWTAuthPlugin Authentication failed.
>>>>>
>>>>> On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <jan....@cominvent.com>
>>>>> wrote:
>>>>>
>>>>>> Please check the error message in solr.log on the server side and paste
>>>>>> that here. Could be a bug 🕷
>>>>>>
>>>>>> Jan Høydahl
>>>>>>
>>>>>>> 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <tyrone...@hotmail.com>:
>>>>>>>
>>>>>>> Jan using https://mkjwk.org/
>>>>>>> I generated the following JWK
>>>>>>>
>>>>>>> {
>>>>>>>
>>>>>>> "kty": "oct",
>>>>>>> "use": "sig",
>>>>>>> "kid": "solr",
>>>>>>> "k":
>>>>>>
>>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>> "alg": "HS256"
>>>>>>> }
>>>>>>>
>>>>>>> So I put the generated JWK into my solr server security.json file like
>>>>>> this
>>>>>>>
>>>>>>> {
>>>>>>> "authentication": {
>>>>>>> "class":"solr.JWTAuthPlugin",
>>>>>>> "blockUnknown": true,
>>>>>>> "jwk" : {
>>>>>>> "kty": "oct",
>>>>>>> "use": "sig",
>>>>>>> "kid": "solr",
>>>>>>> "k":
>>>>>>
>>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>> "alg": "HS256"
>>>>>>> }
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>> Then I went to https://jwt.io/ to generate the JWT using the value of
>>>>>>> "k":
>>>>>>
>>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>>
>>>>>>> for the secret key
>>>>>>>
>>>>>>> My JWT header
>>>>>>> {
>>>>>>> "alg": "HS256",
>>>>>>> "typ": "JWT"
>>>>>>> }
>>>>>>>
>>>>>>> Payload
>>>>>>>
>>>>>>> {
>>>>>>> "sub": "1234567890",
>>>>>>> "name": "John Doe",
>>>>>>> "iat": 1516239022
>>>>>>> }
>>>>>>>
>>>>>>> Secret key
>>>>>>>
>>>>>>
>>> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
>>>>>>>
>>>>>>> Which generates the following encoded JWT
>>>>>>>
>>>>>>
>>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
>>>>>>>
>>>>>>>
>>>>>>> So I then tried to use the JWT encoded value in a curl command to Solr
>>>>>>> as follows
>>>>>>>
>>>>>>> curl -H "Authorization: Bearer
>>>>>>>
>>>>>>
>>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
>>>>>>> http://localhost:8983/solr/admin/info/system
>>>>>>>
>>>>>>> I get the error message
>>>>>>>
>>>>>>> <html>
>>>>>>> <head>
>>>>>>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>>>>>>> <title>Error 401 JWT validation failed</title>
>>>>>>> </head>
>>>>>>> <body><h2>HTTP ERROR 401</h2>
>>>>>>> <p>Problem accessing /solr/admin/info/system. Reason:
>>>>>>> <pre> JWT validation failed</pre></p>
>>>>>>> </body>
>>>>>>> </html>
>>>>>>>
>>>>>>>
>>>>>>> Am I missing something in my security.json file ?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <jan....@cominvent.com>
>>>>>> wrote:
>>>>>>>>
>>>>>>>> I think you are confusing JWK with the JWT token. JWK is only for
>>>>>> defining
>>>>>>>> the key, see https://mkjwk.org for an online JWK generator, you can
>>>>>>>> choose HS256 as algorithm. Put the generated JWK in Solr's config and
>>>>>> also
>>>>>>>> use the generated key to sign your JWT. Then Solr should be able to
>>>>>>>> validate the JWT.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Jan Høydahl, search solution architect
>>>>>>>> Cominvent AS - www.cominvent.com
>>>>>>>>
>>>>>>>>> 10. sep. 2019 kl. 01:21 skrev Tyrone <tyrone....@gmail.com>:
>>>>>>>>>
>>>>>>>>> Jan
>>>>>>>>>
>>>>>>>>> Can my jwk object be something like
>>>>>>>>>
>>>>>>>>> {alg": "HS256", "typ": "JWT",
>>>>>>>>>
>>>>>>>>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
>>>>>>>>>
>>>>>>>>> “k" : "secret-key"}
>>>>>>>>>
>>>>>>>>> Where k is the JWT secret key?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Sent from my iPhone
>>>>>>>>>
>>>>>>>>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <jan....@cominvent.com>
>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> In your security.json, add a JWK matching your signing algorithm,
>>>>>> using
>>>>>>>> the “jwk” JSON key.
>>>>>>>>>>
>>>>>>>>>> Example:
>>>>>>>>>> “jwk” : { "kty" : "oct", "kid" :
>>>>>>>> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
>>>>>>>> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>>>>>>>>>>
>>>>>>>>>> Of course you need to find a way to encode your particular secret
>>> in
>>>>>>>> jwk format, there should be plenty of tools available for that. If
>>> you
>>>>>>>> intend to use symmetric key in prod you have to configure solr so
>>> that
>>>>>>>> security.json is not readable for anyone but the admin!
>>>>>>>>>>
>>>>>>>>>> Jan Høydahl
>>>>>>>>>>
>>>>>>>>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <tyrone....@gmail.com>:
>>>>>>>>>>>
>>>>>>>>>>> HS256
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>
