HS256 is symmetric, so signing with the shared key should be all you need. I
don't see what you did wrong. Perhaps a space has sneaked in somewhere in the
key or how you copy it is not pure ascii? I'd encourage you to try evaluating
the token you build in Java or Javascript using the online tooling or in a
local Java POC outside of Solr, and see if you can find the bug.
Most of the testing inside of Solr uses public/private keys but that should be
transparent as long as the JWK object you use is correct.
--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com
> 20. sep. 2019 kl. 04:16 skrev Tyrone Tse <tyrone...@hotmail.com>:
>
> I finally got JWT Authentication working on Solr 8.1.1.
> This is my security.json file contents
> {
> "authentication":{
> "class":"solr.JWTAuthPlugin",
> "jwk":{
> "kty":"oct",
> "use":"sig",
> "kid":"k1",
>
> "k":"xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ",
> "alg":"HS256"
> },
> "aud":"Solr"
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[
> {
> "name":"open_select",
> "path":"/select/*",
> "role":null
> },
> {
> "name":"all-admin",
> "collection":null,
> "path":"/*",
> "role":"admin"
> },
> {
> "name":"update",
> "role":"solr-update"
> }
> ],
> "user-role":{
> "admin":"solr-update"
> }
> }
> }
>
> I used the web site to generate the JWK key.
>
> So I am using the "k" value from the JWK to sign the JWT token.
>
> Initially, I used website
> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>
> to generate the JWT and sign it with the value
> xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ
>
> The header is
> {
> "alg": "HS256",
> "typ": "JWT"
> }
>
> and the payload is
>
> {
> "sub": "admin",
> "aud": "Solr",
> "exp": 9916239022
> }
>
> This generates the JWT key of
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6IlNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9._H1qeNvlpIOn3X9IpDG0QiRWnEDXITMhZm1NMfuocSc
>
> So when I use this JWT token generated https://jwt.io/ JWT authentication
> is working, and I can authenticate as the user admin and Post data to the
> Solr collections/cores.
>
> Now we have decided to get the JWT token generated using Java before we
> authenticate as the user admin to Post data to Solr, and to have a
> calculated expiration date
>
> Here is the Java Snippet for generating the JWT token
>
> import io.jsonwebtoken.Jwts;
> import io.jsonwebtoken.SignatureAlgorithm;
> ...
> ...
> String
> key="xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ";
> Calendar cal =Calendar.getInstance();
> Date issueAt = cal.getTime();
> cal.add(Calendar.MINUTE,60);
> Date expDate = cal.getTime();
> String jws = Jwts.builder().
> setSubject("admin")
> .setAudience("Solr")
> .setExpiration(expDate)
> .signWith(SignatureAlgorithm.HS256,key).compact();
> System.out.println(jws);
>
> This does not generate a valid JWT token, when I use it I am getting the
> error message
> <html>
>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
> <title>Error 401 Signature invalid</title>
> </head>
>
> <body>
> <h2>HTTP ERROR 401</h2>
> <p>Problem accessing /solr/stores/update. Reason:
> <pre> Signature invalid</pre>
> </p>
> </body>
>
> </html>
>
> I tried generating the JWT token using JavaScript from this codepen
> https://codepen.io/tyrone-tse/pen/MWgzExB
>
> and it too generates an invalid JWT key.
>
> How come it works when the JWT is generated from
> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>
>
>
>
>
>
>
> On Sat, Sep 14, 2019 at 9:06 AM Jan Høydahl <jan....@cominvent.com> wrote:
>
>> See answer in other thread. JWT works for 8.1 or later, don’t attempt it
>> in 7.x.
>>
>> You could try to turn on debug logging for or.apache.solr.security to get
>> more logging.
>>
>> Jan Høydahl
>>
>>> 13. sep. 2019 kl. 00:24 skrev Tyrone Tse <tyrone...@hotmail.com>:
>>>
>>> Jan
>>>
>>> I tried using the JWT Plugin https://github.com/cominvent/solr-auth-jwt
>>>
>>> If my security.json file is
>>>
>>> {
>>> "authentication": {
>>> "class":"com.cominvent.solr.JWTAuthPlugin",
>>> "jwk" : {
>>> "kty": "oct",
>>> "use": "sig",
>>> "kid": "solr",
>>> "k":
>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>> "alg": "HS256"
>>> }
>>> }
>>> }
>>>
>>> And my JWT token has the properties Header {
>>> "alg": "HS256",
>>> "typ": "JWT"
>>> } Payload {
>>> "sub": "admin",
>>> "name": "admin",
>>> "iat": 1516239022
>>> } What other parameters do I need to add to the security.json file to
>>> secure Solr 7.2 ? I don't want anyone being able to access it without
>> using
>>>
>>> curl -H "Authorization : Bearer <jwt-token>"
>>> http://localhost:8983/solr/admin/info
>>>
>>>
>>>
>>> Thanks Tyrone
>>>
>>>
>>>
>>>> On Tue, Sep 10, 2019 at 2:18 PM Tyrone Tse <tyrone...@hotmail.com>
>> wrote:
>>>>
>>>> All I could see in the solr.log was ( could it be the java version ?)
>>>>
>>>>
>> main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
>>>> Corporation, os=Mac OS X, java.version=1.8.0_60,
>> java.vm.version=25.60-b23,
>>>> lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
>>>> source=flush, os.version=10.12.6,
>>>>
>> timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
>>>> 2019-09-10 19:16:02.312 WARN (qtp875016237-24) [ ]
>>>> o.a.s.s.JWTAuthPlugin Authentication failed.
>>>>
>>>> On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <jan....@cominvent.com>
>>>> wrote:
>>>>
>>>>> Please check the error message in solr.log on the server side and paste
>>>>> that here. Could be a bug 🕷
>>>>>
>>>>> Jan Høydahl
>>>>>
>>>>>> 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <tyrone...@hotmail.com>:
>>>>>>
>>>>>> Jan using https://mkjwk.org/
>>>>>> I generated the following JWK
>>>>>>
>>>>>> {
>>>>>>
>>>>>> "kty": "oct",
>>>>>> "use": "sig",
>>>>>> "kid": "solr",
>>>>>> "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>> "alg": "HS256"
>>>>>> }
>>>>>>
>>>>>> So I put the generated JWK into my solr server security.json file like
>>>>> this
>>>>>>
>>>>>> {
>>>>>> "authentication": {
>>>>>> "class":"solr.JWTAuthPlugin",
>>>>>> "blockUnknown": true,
>>>>>> "jwk" : {
>>>>>> "kty": "oct",
>>>>>> "use": "sig",
>>>>>> "kid": "solr",
>>>>>> "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>> "alg": "HS256"
>>>>>> }
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> Then I went to https://jwt.io/ to generate the JWT using the value of
>>>>>> "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>
>>>>>> for the secret key
>>>>>>
>>>>>> My JWT header
>>>>>> {
>>>>>> "alg": "HS256",
>>>>>> "typ": "JWT"
>>>>>> }
>>>>>>
>>>>>> Payload
>>>>>>
>>>>>> {
>>>>>> "sub": "1234567890",
>>>>>> "name": "John Doe",
>>>>>> "iat": 1516239022
>>>>>> }
>>>>>>
>>>>>> Secret key
>>>>>>
>>>>>
>> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
>>>>>>
>>>>>> Which generates the following encoded JWT
>>>>>>
>>>>>
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
>>>>>>
>>>>>>
>>>>>> So I then tried to use the JWT encoded value in a curl command to Solr
>>>>>> as follows
>>>>>>
>>>>>> curl -H "Authorization: Bearer
>>>>>>
>>>>>
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
>>>>>> http://localhost:8983/solr/admin/info/system
>>>>>>
>>>>>> I get the error message
>>>>>>
>>>>>> <html>
>>>>>> <head>
>>>>>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>>>>>> <title>Error 401 JWT validation failed</title>
>>>>>> </head>
>>>>>> <body><h2>HTTP ERROR 401</h2>
>>>>>> <p>Problem accessing /solr/admin/info/system. Reason:
>>>>>> <pre> JWT validation failed</pre></p>
>>>>>> </body>
>>>>>> </html>
>>>>>>
>>>>>>
>>>>>> Am I missing something in my security.json file ?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <jan....@cominvent.com>
>>>>> wrote:
>>>>>>>
>>>>>>> I think you are confusing JWK with the JWT token. JWK is only for
>>>>> defining
>>>>>>> the key, see https://mkjwk.org for an online JWK generator, you can
>>>>>>> choose HS256 as algorithm. Put the generated JWK in Solr's config and
>>>>> also
>>>>>>> use the generated key to sign your JWT. Then Solr should be able to
>>>>>>> validate the JWT.
>>>>>>>
>>>>>>> --
>>>>>>> Jan Høydahl, search solution architect
>>>>>>> Cominvent AS - www.cominvent.com
>>>>>>>
>>>>>>>> 10. sep. 2019 kl. 01:21 skrev Tyrone <tyrone....@gmail.com>:
>>>>>>>>
>>>>>>>> Jan
>>>>>>>>
>>>>>>>> Can my jwk object be something like
>>>>>>>>
>>>>>>>> {alg": "HS256", "typ": "JWT",
>>>>>>>>
>>>>>>>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
>>>>>>>>
>>>>>>>> “k" : "secret-key"}
>>>>>>>>
>>>>>>>> Where k is the JWT secret key?
>>>>>>>>
>>>>>>>>
>>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <jan....@cominvent.com>
>>>>> wrote:
>>>>>>>>>
>>>>>>>>> In your security.json, add a JWK matching your signing algorithm,
>>>>> using
>>>>>>> the “jwk” JSON key.
>>>>>>>>>
>>>>>>>>> Example:
>>>>>>>>> “jwk” : { "kty" : "oct", "kid" :
>>>>>>> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
>>>>>>> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>>>>>>>>>
>>>>>>>>> Of course you need to find a way to encode your particular secret
>> in
>>>>>>> jwk format, there should be plenty of tools available for that. If
>> you
>>>>>>> intend to use symmetric key in prod you have to configure solr so
>> that
>>>>>>> security.json is not readable for anyone but the admin!
>>>>>>>>>
>>>>>>>>> Jan Høydahl
>>>>>>>>>
>>>>>>>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <tyrone....@gmail.com>:
>>>>>>>>>>
>>>>>>>>>> HS256
>>>>>>>
>>>>>>>
>>>>>
>>>>
>>
