Sample JWT Solr configuration

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Sample JWT Solr configuration

Tyrone
I have Solr 8.1 installed, and I have this sample JWT

HEADER:ALGORITHM & TOKEN TYPE { "alg": "HS256", "typ": "JWT" }
PAYLOAD:DATA

{ "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }
The secret key is "your-256-bit-secret"

Which generates the encoded JWT of

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

I am following the documentation for Solr 8.1 about how to configure AWT authentication

https://lucene.apache.org/solr/guide/8_1/jwt-authentication-plugin.html#editing-jwt-authentication-plugin-configuration

Which says that the security.json file will have the the following JSON object

{ "authentication": { "class":"solr.JWTAuthPlugin" } }
Which can have a lot more fields like jwk

Can someone show me an example of how the information for the JWT e.g

HEADER:ALGORITHM & TOKEN TYPE

{ "alg": "HS256", "typ": "JWT" }
PAYLOAD:DATA

{ "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }
can be put into this object, and what field it should use

{ "authentication": { "class":"solr.JWTAuthPlugin" } }

Sent from my iPhone
Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

Jan Høydahl / Cominvent
In your security.json, add a JWK matching your signing algorithm, using the “jwk” JSON key.

Example:
“jwk” : { "kty" : "oct", "kid" : "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" : "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }

Of course you need to find a way to encode your particular secret in jwk format, there should be plenty of tools available for that. If you intend to use symmetric key in prod you have to configure solr so that security.json is not readable for anyone but the admin!

Jan Høydahl

> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
>
> HS256
Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

Tyrone
Jan

Can my jwk object be something like

{alg": "HS256", "typ": "JWT",

"sub": "1234567890", "name": "John Doe", "iat": 1516239022,

“k" : "secret-key"}

Where k is the JWT secret key?


Sent from my iPhone

> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <[hidden email]> wrote:
>
> In your security.json, add a JWK matching your signing algorithm, using the “jwk” JSON key.
>
> Example:
> “jwk” : { "kty" : "oct", "kid" : "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" : "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>
> Of course you need to find a way to encode your particular secret in jwk format, there should be plenty of tools available for that. If you intend to use symmetric key in prod you have to configure solr so that security.json is not readable for anyone but the admin!
>
> Jan Høydahl
>
>> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
>>
>> HS256
Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

Jan Høydahl / Cominvent
I think you are confusing JWK with the JWT token. JWK is only for defining the key, see https://mkjwk.org for an online JWK generator, you can choose HS256 as algorithm. Put the generated JWK in Solr's config and also use the generated key to sign your JWT. Then Solr should be able to validate the JWT.

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 10. sep. 2019 kl. 01:21 skrev Tyrone <[hidden email]>:
>
> Jan
>
> Can my jwk object be something like
>
> {alg": "HS256", "typ": "JWT",
>
> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
>
> “k" : "secret-key"}
>
> Where k is the JWT secret key?
>
>
> Sent from my iPhone
>
>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <[hidden email]> wrote:
>>
>> In your security.json, add a JWK matching your signing algorithm, using the “jwk” JSON key.
>>
>> Example:
>> “jwk” : { "kty" : "oct", "kid" : "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" : "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>>
>> Of course you need to find a way to encode your particular secret in jwk format, there should be plenty of tools available for that. If you intend to use symmetric key in prod you have to configure solr so that security.json is not readable for anyone but the admin!
>>
>> Jan Høydahl
>>
>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
>>>
>>> HS256

Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

Tyrone Tse
Jan using https://mkjwk.org/
I generated the following JWK

{

  "kty": "oct",
  "use": "sig",
  "kid": "solr",
  "k": "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
  "alg": "HS256"
}

So I put the generated JWK into my solr server security.json file like this

{
  "authentication": {
    "class":"solr.JWTAuthPlugin",
        "blockUnknown": true,
        "jwk" : {
  "kty": "oct",
  "use": "sig",
  "kid": "solr",
  "k": "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
  "alg": "HS256"
                }
  }
}

Then I went to https://jwt.io/ to generate the JWT using the value of
"k": "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",

for the secret key

My JWT header
{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Secret key
pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ

Which generates the following encoded JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44


So I then tried to use the JWT encoded value in a curl command to Solr
as follows

curl -H "Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
http://localhost:8983/solr/admin/info/system

I get the error message

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 401 JWT validation failed</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/admin/info/system. Reason:
<pre>    JWT validation failed</pre></p>
</body>
</html>


Am I missing something in my security.json file ?








On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <[hidden email]> wrote:

> I think you are confusing JWK with the JWT token. JWK is only for defining
> the key, see https://mkjwk.org for an online JWK generator, you can
> choose HS256 as algorithm. Put the generated JWK in Solr's config and also
> use the generated key to sign your JWT. Then Solr should be able to
> validate the JWT.
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 10. sep. 2019 kl. 01:21 skrev Tyrone <[hidden email]>:
> >
> > Jan
> >
> > Can my jwk object be something like
> >
> > {alg": "HS256", "typ": "JWT",
> >
> > "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
> >
> > “k" : "secret-key"}
> >
> > Where k is the JWT secret key?
> >
> >
> > Sent from my iPhone
> >
> >> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <[hidden email]> wrote:
> >>
> >> In your security.json, add a JWK matching your signing algorithm, using
> the “jwk” JSON key.
> >>
> >> Example:
> >> “jwk” : { "kty" : "oct", "kid" :
> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
> >>
> >> Of course you need to find a way to encode your particular secret in
> jwk format, there should be plenty of tools available for that. If you
> intend to use symmetric key in prod you have to configure solr so that
> security.json is not readable for anyone but the admin!
> >>
> >> Jan Høydahl
> >>
> >>> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
> >>>
> >>> HS256
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

Jan Høydahl / Cominvent
Please check the error message in solr.log on the server side and paste that here. Could be a bug 🕷

Jan Høydahl

> 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <[hidden email]>:
>
> Jan using https://mkjwk.org/
> I generated the following JWK
>
> {
>
>  "kty": "oct",
>  "use": "sig",
>  "kid": "solr",
>  "k": "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>  "alg": "HS256"
> }
>
> So I put the generated JWK into my solr server security.json file like this
>
> {
>  "authentication": {
>    "class":"solr.JWTAuthPlugin",
>    "blockUnknown": true,
>    "jwk" : {
>          "kty": "oct",
>          "use": "sig",
>          "kid": "solr",
>          "k": "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>          "alg": "HS256"
>        }
>  }
> }
>
> Then I went to https://jwt.io/ to generate the JWT using the value of
> "k": "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>
> for the secret key
>
> My JWT header
> {
>  "alg": "HS256",
>  "typ": "JWT"
> }
>
> Payload
>
> {
>  "sub": "1234567890",
>  "name": "John Doe",
>  "iat": 1516239022
> }
>
> Secret key
> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
>
> Which generates the following encoded JWT
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
>
>
> So I then tried to use the JWT encoded value in a curl command to Solr
> as follows
>
> curl -H "Authorization: Bearer
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
> http://localhost:8983/solr/admin/info/system
>
> I get the error message
>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 401 JWT validation failed</title>
> </head>
> <body><h2>HTTP ERROR 401</h2>
> <p>Problem accessing /solr/admin/info/system. Reason:
> <pre>    JWT validation failed</pre></p>
> </body>
> </html>
>
>
> Am I missing something in my security.json file ?
>
>
>
>
>
>
>
>
>> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <[hidden email]> wrote:
>>
>> I think you are confusing JWK with the JWT token. JWK is only for defining
>> the key, see https://mkjwk.org for an online JWK generator, you can
>> choose HS256 as algorithm. Put the generated JWK in Solr's config and also
>> use the generated key to sign your JWT. Then Solr should be able to
>> validate the JWT.
>>
>> --
>> Jan Høydahl, search solution architect
>> Cominvent AS - www.cominvent.com
>>
>>> 10. sep. 2019 kl. 01:21 skrev Tyrone <[hidden email]>:
>>>
>>> Jan
>>>
>>> Can my jwk object be something like
>>>
>>> {alg": "HS256", "typ": "JWT",
>>>
>>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
>>>
>>> “k" : "secret-key"}
>>>
>>> Where k is the JWT secret key?
>>>
>>>
>>> Sent from my iPhone
>>>
>>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <[hidden email]> wrote:
>>>>
>>>> In your security.json, add a JWK matching your signing algorithm, using
>> the “jwk” JSON key.
>>>>
>>>> Example:
>>>> “jwk” : { "kty" : "oct", "kid" :
>> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
>> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>>>>
>>>> Of course you need to find a way to encode your particular secret in
>> jwk format, there should be plenty of tools available for that. If you
>> intend to use symmetric key in prod you have to configure solr so that
>> security.json is not readable for anyone but the admin!
>>>>
>>>> Jan Høydahl
>>>>
>>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
>>>>>
>>>>> HS256
>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

Tyrone Tse
All I could see in the solr.log was ( could it be the java version ?)

main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
Corporation, os=Mac OS X, java.version=1.8.0_60, java.vm.version=25.60-b23,
lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
source=flush, os.version=10.12.6,
timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
2019-09-10 19:16:02.312 WARN  (qtp875016237-24) [   ] o.a.s.s.JWTAuthPlugin
Authentication failed.

On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <[hidden email]> wrote:

> Please check the error message in solr.log on the server side and paste
> that here. Could be a bug 🕷
>
> Jan Høydahl
>
> > 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <[hidden email]>:
> >
> > Jan using https://mkjwk.org/
> > I generated the following JWK
> >
> > {
> >
> >  "kty": "oct",
> >  "use": "sig",
> >  "kid": "solr",
> >  "k":
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
> >  "alg": "HS256"
> > }
> >
> > So I put the generated JWK into my solr server security.json file like
> this
> >
> > {
> >  "authentication": {
> >    "class":"solr.JWTAuthPlugin",
> >    "blockUnknown": true,
> >    "jwk" : {
> >          "kty": "oct",
> >          "use": "sig",
> >          "kid": "solr",
> >          "k":
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
> >          "alg": "HS256"
> >        }
> >  }
> > }
> >
> > Then I went to https://jwt.io/ to generate the JWT using the value of
> > "k":
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
> >
> > for the secret key
> >
> > My JWT header
> > {
> >  "alg": "HS256",
> >  "typ": "JWT"
> > }
> >
> > Payload
> >
> > {
> >  "sub": "1234567890",
> >  "name": "John Doe",
> >  "iat": 1516239022
> > }
> >
> > Secret key
> >
> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
> >
> > Which generates the following encoded JWT
> >
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
> >
> >
> > So I then tried to use the JWT encoded value in a curl command to Solr
> > as follows
> >
> > curl -H "Authorization: Bearer
> >
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
> > http://localhost:8983/solr/admin/info/system
> >
> > I get the error message
> >
> > <html>
> > <head>
> > <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> > <title>Error 401 JWT validation failed</title>
> > </head>
> > <body><h2>HTTP ERROR 401</h2>
> > <p>Problem accessing /solr/admin/info/system. Reason:
> > <pre>    JWT validation failed</pre></p>
> > </body>
> > </html>
> >
> >
> > Am I missing something in my security.json file ?
> >
> >
> >
> >
> >
> >
> >
> >
> >> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <[hidden email]>
> wrote:
> >>
> >> I think you are confusing JWK with the JWT token. JWK is only for
> defining
> >> the key, see https://mkjwk.org for an online JWK generator, you can
> >> choose HS256 as algorithm. Put the generated JWK in Solr's config and
> also
> >> use the generated key to sign your JWT. Then Solr should be able to
> >> validate the JWT.
> >>
> >> --
> >> Jan Høydahl, search solution architect
> >> Cominvent AS - www.cominvent.com
> >>
> >>> 10. sep. 2019 kl. 01:21 skrev Tyrone <[hidden email]>:
> >>>
> >>> Jan
> >>>
> >>> Can my jwk object be something like
> >>>
> >>> {alg": "HS256", "typ": "JWT",
> >>>
> >>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
> >>>
> >>> “k" : "secret-key"}
> >>>
> >>> Where k is the JWT secret key?
> >>>
> >>>
> >>> Sent from my iPhone
> >>>
> >>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <[hidden email]>
> wrote:
> >>>>
> >>>> In your security.json, add a JWK matching your signing algorithm,
> using
> >> the “jwk” JSON key.
> >>>>
> >>>> Example:
> >>>> “jwk” : { "kty" : "oct", "kid" :
> >> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
> >> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
> >>>>
> >>>> Of course you need to find a way to encode your particular secret in
> >> jwk format, there should be plenty of tools available for that. If you
> >> intend to use symmetric key in prod you have to configure solr so that
> >> security.json is not readable for anyone but the admin!
> >>>>
> >>>> Jan Høydahl
> >>>>
> >>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
> >>>>>
> >>>>> HS256
> >>
> >>
>
Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

Tyrone Tse
Jan

I tried using the JWT Plugin https://github.com/cominvent/solr-auth-jwt

If my security.json file is

{
  "authentication": {
    "class":"com.cominvent.solr.JWTAuthPlugin",
        "jwk" : {
                "kty": "oct",
                "use": "sig",
                "kid": "solr",
                "k":
"pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
                "alg": "HS256"
                }
  }
}

And my JWT token has the properties Header {
  "alg": "HS256",
  "typ": "JWT"
} Payload {
  "sub": "admin",
  "name": "admin",
  "iat": 1516239022
} What other parameters do I need to add to the security.json file to
secure Solr 7.2 ? I don't want anyone being able to access it without using

curl -H "Authorization : Bearer <jwt-token>"
http://localhost:8983/solr/admin/info



Thanks Tyrone



On Tue, Sep 10, 2019 at 2:18 PM Tyrone Tse <[hidden email]> wrote:

> All I could see in the solr.log was ( could it be the java version ?)
>
> main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
> Corporation, os=Mac OS X, java.version=1.8.0_60, java.vm.version=25.60-b23,
> lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
> source=flush, os.version=10.12.6,
> timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
> 2019-09-10 19:16:02.312 WARN  (qtp875016237-24) [   ]
> o.a.s.s.JWTAuthPlugin Authentication failed.
>
> On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <[hidden email]>
> wrote:
>
>> Please check the error message in solr.log on the server side and paste
>> that here. Could be a bug 🕷
>>
>> Jan Høydahl
>>
>> > 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <[hidden email]>:
>> >
>> > Jan using https://mkjwk.org/
>> > I generated the following JWK
>> >
>> > {
>> >
>> >  "kty": "oct",
>> >  "use": "sig",
>> >  "kid": "solr",
>> >  "k":
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>> >  "alg": "HS256"
>> > }
>> >
>> > So I put the generated JWK into my solr server security.json file like
>> this
>> >
>> > {
>> >  "authentication": {
>> >    "class":"solr.JWTAuthPlugin",
>> >    "blockUnknown": true,
>> >    "jwk" : {
>> >          "kty": "oct",
>> >          "use": "sig",
>> >          "kid": "solr",
>> >          "k":
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>> >          "alg": "HS256"
>> >        }
>> >  }
>> > }
>> >
>> > Then I went to https://jwt.io/ to generate the JWT using the value of
>> > "k":
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>> >
>> > for the secret key
>> >
>> > My JWT header
>> > {
>> >  "alg": "HS256",
>> >  "typ": "JWT"
>> > }
>> >
>> > Payload
>> >
>> > {
>> >  "sub": "1234567890",
>> >  "name": "John Doe",
>> >  "iat": 1516239022
>> > }
>> >
>> > Secret key
>> >
>> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
>> >
>> > Which generates the following encoded JWT
>> >
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
>> >
>> >
>> > So I then tried to use the JWT encoded value in a curl command to Solr
>> > as follows
>> >
>> > curl -H "Authorization: Bearer
>> >
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
>> > http://localhost:8983/solr/admin/info/system
>> >
>> > I get the error message
>> >
>> > <html>
>> > <head>
>> > <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>> > <title>Error 401 JWT validation failed</title>
>> > </head>
>> > <body><h2>HTTP ERROR 401</h2>
>> > <p>Problem accessing /solr/admin/info/system. Reason:
>> > <pre>    JWT validation failed</pre></p>
>> > </body>
>> > </html>
>> >
>> >
>> > Am I missing something in my security.json file ?
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <[hidden email]>
>> wrote:
>> >>
>> >> I think you are confusing JWK with the JWT token. JWK is only for
>> defining
>> >> the key, see https://mkjwk.org for an online JWK generator, you can
>> >> choose HS256 as algorithm. Put the generated JWK in Solr's config and
>> also
>> >> use the generated key to sign your JWT. Then Solr should be able to
>> >> validate the JWT.
>> >>
>> >> --
>> >> Jan Høydahl, search solution architect
>> >> Cominvent AS - www.cominvent.com
>> >>
>> >>> 10. sep. 2019 kl. 01:21 skrev Tyrone <[hidden email]>:
>> >>>
>> >>> Jan
>> >>>
>> >>> Can my jwk object be something like
>> >>>
>> >>> {alg": "HS256", "typ": "JWT",
>> >>>
>> >>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
>> >>>
>> >>> “k" : "secret-key"}
>> >>>
>> >>> Where k is the JWT secret key?
>> >>>
>> >>>
>> >>> Sent from my iPhone
>> >>>
>> >>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <[hidden email]>
>> wrote:
>> >>>>
>> >>>> In your security.json, add a JWK matching your signing algorithm,
>> using
>> >> the “jwk” JSON key.
>> >>>>
>> >>>> Example:
>> >>>> “jwk” : { "kty" : "oct", "kid" :
>> >> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
>> >> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>> >>>>
>> >>>> Of course you need to find a way to encode your particular secret in
>> >> jwk format, there should be plenty of tools available for that. If you
>> >> intend to use symmetric key in prod you have to configure solr so that
>> >> security.json is not readable for anyone but the admin!
>> >>>>
>> >>>> Jan Høydahl
>> >>>>
>> >>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
>> >>>>>
>> >>>>> HS256
>> >>
>> >>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

Jan Høydahl / Cominvent
See answer in other thread. JWT works for 8.1 or later, don’t attempt it in 7.x.

You could try to turn on debug logging for or.apache.solr.security to get more logging.

Jan Høydahl

> 13. sep. 2019 kl. 00:24 skrev Tyrone Tse <[hidden email]>:
>
> Jan
>
> I tried using the JWT Plugin https://github.com/cominvent/solr-auth-jwt
>
> If my security.json file is
>
> {
>  "authentication": {
>    "class":"com.cominvent.solr.JWTAuthPlugin",
>        "jwk" : {
>                "kty": "oct",
>                "use": "sig",
>                "kid": "solr",
>                "k":
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>                "alg": "HS256"
>                }
>  }
> }
>
> And my JWT token has the properties Header {
>  "alg": "HS256",
>  "typ": "JWT"
> } Payload {
>  "sub": "admin",
>  "name": "admin",
>  "iat": 1516239022
> } What other parameters do I need to add to the security.json file to
> secure Solr 7.2 ? I don't want anyone being able to access it without using
>
> curl -H "Authorization : Bearer <jwt-token>"
> http://localhost:8983/solr/admin/info
>
>
>
> Thanks Tyrone
>
>
>
>> On Tue, Sep 10, 2019 at 2:18 PM Tyrone Tse <[hidden email]> wrote:
>>
>> All I could see in the solr.log was ( could it be the java version ?)
>>
>> main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
>> Corporation, os=Mac OS X, java.version=1.8.0_60, java.vm.version=25.60-b23,
>> lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
>> source=flush, os.version=10.12.6,
>> timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
>> 2019-09-10 19:16:02.312 WARN  (qtp875016237-24) [   ]
>> o.a.s.s.JWTAuthPlugin Authentication failed.
>>
>> On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <[hidden email]>
>> wrote:
>>
>>> Please check the error message in solr.log on the server side and paste
>>> that here. Could be a bug 🕷
>>>
>>> Jan Høydahl
>>>
>>>> 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <[hidden email]>:
>>>>
>>>> Jan using https://mkjwk.org/
>>>> I generated the following JWK
>>>>
>>>> {
>>>>
>>>> "kty": "oct",
>>>> "use": "sig",
>>>> "kid": "solr",
>>>> "k":
>>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>> "alg": "HS256"
>>>> }
>>>>
>>>> So I put the generated JWK into my solr server security.json file like
>>> this
>>>>
>>>> {
>>>> "authentication": {
>>>>   "class":"solr.JWTAuthPlugin",
>>>>   "blockUnknown": true,
>>>>   "jwk" : {
>>>>         "kty": "oct",
>>>>         "use": "sig",
>>>>         "kid": "solr",
>>>>         "k":
>>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>         "alg": "HS256"
>>>>       }
>>>> }
>>>> }
>>>>
>>>> Then I went to https://jwt.io/ to generate the JWT using the value of
>>>> "k":
>>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>
>>>> for the secret key
>>>>
>>>> My JWT header
>>>> {
>>>> "alg": "HS256",
>>>> "typ": "JWT"
>>>> }
>>>>
>>>> Payload
>>>>
>>>> {
>>>> "sub": "1234567890",
>>>> "name": "John Doe",
>>>> "iat": 1516239022
>>>> }
>>>>
>>>> Secret key
>>>>
>>> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
>>>>
>>>> Which generates the following encoded JWT
>>>>
>>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
>>>>
>>>>
>>>> So I then tried to use the JWT encoded value in a curl command to Solr
>>>> as follows
>>>>
>>>> curl -H "Authorization: Bearer
>>>>
>>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
>>>> http://localhost:8983/solr/admin/info/system
>>>>
>>>> I get the error message
>>>>
>>>> <html>
>>>> <head>
>>>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>>>> <title>Error 401 JWT validation failed</title>
>>>> </head>
>>>> <body><h2>HTTP ERROR 401</h2>
>>>> <p>Problem accessing /solr/admin/info/system. Reason:
>>>> <pre>    JWT validation failed</pre></p>
>>>> </body>
>>>> </html>
>>>>
>>>>
>>>> Am I missing something in my security.json file ?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <[hidden email]>
>>> wrote:
>>>>>
>>>>> I think you are confusing JWK with the JWT token. JWK is only for
>>> defining
>>>>> the key, see https://mkjwk.org for an online JWK generator, you can
>>>>> choose HS256 as algorithm. Put the generated JWK in Solr's config and
>>> also
>>>>> use the generated key to sign your JWT. Then Solr should be able to
>>>>> validate the JWT.
>>>>>
>>>>> --
>>>>> Jan Høydahl, search solution architect
>>>>> Cominvent AS - www.cominvent.com
>>>>>
>>>>>> 10. sep. 2019 kl. 01:21 skrev Tyrone <[hidden email]>:
>>>>>>
>>>>>> Jan
>>>>>>
>>>>>> Can my jwk object be something like
>>>>>>
>>>>>> {alg": "HS256", "typ": "JWT",
>>>>>>
>>>>>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
>>>>>>
>>>>>> “k" : "secret-key"}
>>>>>>
>>>>>> Where k is the JWT secret key?
>>>>>>
>>>>>>
>>>>>> Sent from my iPhone
>>>>>>
>>>>>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <[hidden email]>
>>> wrote:
>>>>>>>
>>>>>>> In your security.json, add a JWK matching your signing algorithm,
>>> using
>>>>> the “jwk” JSON key.
>>>>>>>
>>>>>>> Example:
>>>>>>> “jwk” : { "kty" : "oct", "kid" :
>>>>> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
>>>>> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>>>>>>>
>>>>>>> Of course you need to find a way to encode your particular secret in
>>>>> jwk format, there should be plenty of tools available for that. If you
>>>>> intend to use symmetric key in prod you have to configure solr so that
>>>>> security.json is not readable for anyone but the admin!
>>>>>>>
>>>>>>> Jan Høydahl
>>>>>>>
>>>>>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
>>>>>>>>
>>>>>>>> HS256
>>>>>
>>>>>
>>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

Tyrone Tse
I finally got JWT Authentication working on Solr 8.1.1.
This is my security.json file contents
{
   "authentication":{
      "class":"solr.JWTAuthPlugin",
      "jwk":{
         "kty":"oct",
         "use":"sig",
         "kid":"k1",

 "k":"xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ",
         "alg":"HS256"
      },
      "aud":"Solr"
   },
   "authorization":{
      "class":"solr.RuleBasedAuthorizationPlugin",
      "permissions":[
         {
            "name":"open_select",
            "path":"/select/*",
            "role":null
         },
         {
            "name":"all-admin",
            "collection":null,
            "path":"/*",
            "role":"admin"
         },
         {
            "name":"update",
            "role":"solr-update"
         }
      ],
      "user-role":{
         "admin":"solr-update"
      }
   }
}

I used the web site to generate the JWK key.

So I am using the "k" value from the JWK to sign the JWT token.

Initially, I used website
https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ

to generate the JWT and sign it with the value
xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ

The header is
{
  "alg": "HS256",
  "typ": "JWT"
}

and the payload is

{
  "sub": "admin",
  "aud": "Solr",
  "exp": 9916239022
}

This generates the JWT key of
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6IlNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9._H1qeNvlpIOn3X9IpDG0QiRWnEDXITMhZm1NMfuocSc

So when I use this JWT token generated https://jwt.io/  JWT authentication
is working, and I can authenticate as the user admin and Post data to the
Solr collections/cores.

Now we have decided to get the JWT token generated using Java before we
authenticate as the user admin to Post data to Solr, and to have a
calculated expiration date

Here is the Java Snippet for generating the JWT token

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
...
...
            String
key="xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ";
            Calendar cal =Calendar.getInstance();
            Date issueAt = cal.getTime();
            cal.add(Calendar.MINUTE,60);
            Date expDate = cal.getTime();
            String jws = Jwts.builder().
                setSubject("admin")
                .setAudience("Solr")
                .setExpiration(expDate)
                .signWith(SignatureAlgorithm.HS256,key).compact();
            System.out.println(jws);

This does not generate a valid JWT token, when I use it I am getting the
error message
<html>

<head>
    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
    <title>Error 401 Signature invalid</title>
</head>

<body>
    <h2>HTTP ERROR 401</h2>
    <p>Problem accessing /solr/stores/update. Reason:
        <pre> Signature invalid</pre>
    </p>
</body>

</html>

I tried generating the JWT token using JavaScript from this codepen
https://codepen.io/tyrone-tse/pen/MWgzExB

and it too generates an invalid JWT key.

How come it works when the JWT is generated from
https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ







On Sat, Sep 14, 2019 at 9:06 AM Jan Høydahl <[hidden email]> wrote:

> See answer in other thread. JWT works for 8.1 or later, don’t attempt it
> in 7.x.
>
> You could try to turn on debug logging for or.apache.solr.security to get
> more logging.
>
> Jan Høydahl
>
> > 13. sep. 2019 kl. 00:24 skrev Tyrone Tse <[hidden email]>:
> >
> > Jan
> >
> > I tried using the JWT Plugin https://github.com/cominvent/solr-auth-jwt
> >
> > If my security.json file is
> >
> > {
> >  "authentication": {
> >    "class":"com.cominvent.solr.JWTAuthPlugin",
> >        "jwk" : {
> >                "kty": "oct",
> >                "use": "sig",
> >                "kid": "solr",
> >                "k":
> >
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
> >                "alg": "HS256"
> >                }
> >  }
> > }
> >
> > And my JWT token has the properties Header {
> >  "alg": "HS256",
> >  "typ": "JWT"
> > } Payload {
> >  "sub": "admin",
> >  "name": "admin",
> >  "iat": 1516239022
> > } What other parameters do I need to add to the security.json file to
> > secure Solr 7.2 ? I don't want anyone being able to access it without
> using
> >
> > curl -H "Authorization : Bearer <jwt-token>"
> > http://localhost:8983/solr/admin/info
> >
> >
> >
> > Thanks Tyrone
> >
> >
> >
> >> On Tue, Sep 10, 2019 at 2:18 PM Tyrone Tse <[hidden email]>
> wrote:
> >>
> >> All I could see in the solr.log was ( could it be the java version ?)
> >>
> >>
> main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
> >> Corporation, os=Mac OS X, java.version=1.8.0_60,
> java.vm.version=25.60-b23,
> >> lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
> >> source=flush, os.version=10.12.6,
> >>
> timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
> >> 2019-09-10 19:16:02.312 WARN  (qtp875016237-24) [   ]
> >> o.a.s.s.JWTAuthPlugin Authentication failed.
> >>
> >> On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <[hidden email]>
> >> wrote:
> >>
> >>> Please check the error message in solr.log on the server side and paste
> >>> that here. Could be a bug 🕷
> >>>
> >>> Jan Høydahl
> >>>
> >>>> 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <[hidden email]>:
> >>>>
> >>>> Jan using https://mkjwk.org/
> >>>> I generated the following JWK
> >>>>
> >>>> {
> >>>>
> >>>> "kty": "oct",
> >>>> "use": "sig",
> >>>> "kid": "solr",
> >>>> "k":
> >>>
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
> >>>> "alg": "HS256"
> >>>> }
> >>>>
> >>>> So I put the generated JWK into my solr server security.json file like
> >>> this
> >>>>
> >>>> {
> >>>> "authentication": {
> >>>>   "class":"solr.JWTAuthPlugin",
> >>>>   "blockUnknown": true,
> >>>>   "jwk" : {
> >>>>         "kty": "oct",
> >>>>         "use": "sig",
> >>>>         "kid": "solr",
> >>>>         "k":
> >>>
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
> >>>>         "alg": "HS256"
> >>>>       }
> >>>> }
> >>>> }
> >>>>
> >>>> Then I went to https://jwt.io/ to generate the JWT using the value of
> >>>> "k":
> >>>
> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
> >>>>
> >>>> for the secret key
> >>>>
> >>>> My JWT header
> >>>> {
> >>>> "alg": "HS256",
> >>>> "typ": "JWT"
> >>>> }
> >>>>
> >>>> Payload
> >>>>
> >>>> {
> >>>> "sub": "1234567890",
> >>>> "name": "John Doe",
> >>>> "iat": 1516239022
> >>>> }
> >>>>
> >>>> Secret key
> >>>>
> >>>
> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
> >>>>
> >>>> Which generates the following encoded JWT
> >>>>
> >>>
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
> >>>>
> >>>>
> >>>> So I then tried to use the JWT encoded value in a curl command to Solr
> >>>> as follows
> >>>>
> >>>> curl -H "Authorization: Bearer
> >>>>
> >>>
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
> >>>> http://localhost:8983/solr/admin/info/system
> >>>>
> >>>> I get the error message
> >>>>
> >>>> <html>
> >>>> <head>
> >>>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> >>>> <title>Error 401 JWT validation failed</title>
> >>>> </head>
> >>>> <body><h2>HTTP ERROR 401</h2>
> >>>> <p>Problem accessing /solr/admin/info/system. Reason:
> >>>> <pre>    JWT validation failed</pre></p>
> >>>> </body>
> >>>> </html>
> >>>>
> >>>>
> >>>> Am I missing something in my security.json file ?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <[hidden email]>
> >>> wrote:
> >>>>>
> >>>>> I think you are confusing JWK with the JWT token. JWK is only for
> >>> defining
> >>>>> the key, see https://mkjwk.org for an online JWK generator, you can
> >>>>> choose HS256 as algorithm. Put the generated JWK in Solr's config and
> >>> also
> >>>>> use the generated key to sign your JWT. Then Solr should be able to
> >>>>> validate the JWT.
> >>>>>
> >>>>> --
> >>>>> Jan Høydahl, search solution architect
> >>>>> Cominvent AS - www.cominvent.com
> >>>>>
> >>>>>> 10. sep. 2019 kl. 01:21 skrev Tyrone <[hidden email]>:
> >>>>>>
> >>>>>> Jan
> >>>>>>
> >>>>>> Can my jwk object be something like
> >>>>>>
> >>>>>> {alg": "HS256", "typ": "JWT",
> >>>>>>
> >>>>>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
> >>>>>>
> >>>>>> “k" : "secret-key"}
> >>>>>>
> >>>>>> Where k is the JWT secret key?
> >>>>>>
> >>>>>>
> >>>>>> Sent from my iPhone
> >>>>>>
> >>>>>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <[hidden email]>
> >>> wrote:
> >>>>>>>
> >>>>>>> In your security.json, add a JWK matching your signing algorithm,
> >>> using
> >>>>> the “jwk” JSON key.
> >>>>>>>
> >>>>>>> Example:
> >>>>>>> “jwk” : { "kty" : "oct", "kid" :
> >>>>> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
> >>>>> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
> >>>>>>>
> >>>>>>> Of course you need to find a way to encode your particular secret
> in
> >>>>> jwk format, there should be plenty of tools available for that. If
> you
> >>>>> intend to use symmetric key in prod you have to configure solr so
> that
> >>>>> security.json is not readable for anyone but the admin!
> >>>>>>>
> >>>>>>> Jan Høydahl
> >>>>>>>
> >>>>>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
> >>>>>>>>
> >>>>>>>> HS256
> >>>>>
> >>>>>
> >>>
> >>
>
Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

David Hastings
I know this has nothing to do with the issue at hand but if you have a public facing solr instance you have much bigger issues.  

> On Sep 19, 2019, at 10:16 PM, Tyrone Tse <[hidden email]> wrote:
>
> I finally got JWT Authentication working on Solr 8.1.1.
> This is my security.json file contents
> {
>   "authentication":{
>      "class":"solr.JWTAuthPlugin",
>      "jwk":{
>         "kty":"oct",
>         "use":"sig",
>         "kid":"k1",
>
> "k":"xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ",
>         "alg":"HS256"
>      },
>      "aud":"Solr"
>   },
>   "authorization":{
>      "class":"solr.RuleBasedAuthorizationPlugin",
>      "permissions":[
>         {
>            "name":"open_select",
>            "path":"/select/*",
>            "role":null
>         },
>         {
>            "name":"all-admin",
>            "collection":null,
>            "path":"/*",
>            "role":"admin"
>         },
>         {
>            "name":"update",
>            "role":"solr-update"
>         }
>      ],
>      "user-role":{
>         "admin":"solr-update"
>      }
>   }
> }
>
> I used the web site to generate the JWK key.
>
> So I am using the "k" value from the JWK to sign the JWT token.
>
> Initially, I used website
> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>
> to generate the JWT and sign it with the value
> xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ
>
> The header is
> {
>  "alg": "HS256",
>  "typ": "JWT"
> }
>
> and the payload is
>
> {
>  "sub": "admin",
>  "aud": "Solr",
>  "exp": 9916239022
> }
>
> This generates the JWT key of
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6IlNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9._H1qeNvlpIOn3X9IpDG0QiRWnEDXITMhZm1NMfuocSc
>
> So when I use this JWT token generated https://jwt.io/  JWT authentication
> is working, and I can authenticate as the user admin and Post data to the
> Solr collections/cores.
>
> Now we have decided to get the JWT token generated using Java before we
> authenticate as the user admin to Post data to Solr, and to have a
> calculated expiration date
>
> Here is the Java Snippet for generating the JWT token
>
> import io.jsonwebtoken.Jwts;
> import io.jsonwebtoken.SignatureAlgorithm;
> ...
> ...
>            String
> key="xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ";
>            Calendar cal =Calendar.getInstance();
>            Date issueAt = cal.getTime();
>            cal.add(Calendar.MINUTE,60);
>            Date expDate = cal.getTime();
>            String jws = Jwts.builder().
>                setSubject("admin")
>                .setAudience("Solr")
>                .setExpiration(expDate)
>                .signWith(SignatureAlgorithm.HS256,key).compact();
>            System.out.println(jws);
>
> This does not generate a valid JWT token, when I use it I am getting the
> error message
> <html>
>
> <head>
>    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
>    <title>Error 401 Signature invalid</title>
> </head>
>
> <body>
>    <h2>HTTP ERROR 401</h2>
>    <p>Problem accessing /solr/stores/update. Reason:
>        <pre> Signature invalid</pre>
>    </p>
> </body>
>
> </html>
>
> I tried generating the JWT token using JavaScript from this codepen
> https://codepen.io/tyrone-tse/pen/MWgzExB
>
> and it too generates an invalid JWT key.
>
> How come it works when the JWT is generated from
> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>
>
>
>
>
>
>
>> On Sat, Sep 14, 2019 at 9:06 AM Jan Høydahl <[hidden email]> wrote:
>>
>> See answer in other thread. JWT works for 8.1 or later, don’t attempt it
>> in 7.x.
>>
>> You could try to turn on debug logging for or.apache.solr.security to get
>> more logging.
>>
>> Jan Høydahl
>>
>>> 13. sep. 2019 kl. 00:24 skrev Tyrone Tse <[hidden email]>:
>>>
>>> Jan
>>>
>>> I tried using the JWT Plugin https://github.com/cominvent/solr-auth-jwt
>>>
>>> If my security.json file is
>>>
>>> {
>>> "authentication": {
>>>   "class":"com.cominvent.solr.JWTAuthPlugin",
>>>       "jwk" : {
>>>               "kty": "oct",
>>>               "use": "sig",
>>>               "kid": "solr",
>>>               "k":
>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>               "alg": "HS256"
>>>               }
>>> }
>>> }
>>>
>>> And my JWT token has the properties Header {
>>> "alg": "HS256",
>>> "typ": "JWT"
>>> } Payload {
>>> "sub": "admin",
>>> "name": "admin",
>>> "iat": 1516239022
>>> } What other parameters do I need to add to the security.json file to
>>> secure Solr 7.2 ? I don't want anyone being able to access it without
>> using
>>>
>>> curl -H "Authorization : Bearer <jwt-token>"
>>> http://localhost:8983/solr/admin/info
>>>
>>>
>>>
>>> Thanks Tyrone
>>>
>>>
>>>
>>>> On Tue, Sep 10, 2019 at 2:18 PM Tyrone Tse <[hidden email]>
>> wrote:
>>>>
>>>> All I could see in the solr.log was ( could it be the java version ?)
>>>>
>>>>
>> main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
>>>> Corporation, os=Mac OS X, java.version=1.8.0_60,
>> java.vm.version=25.60-b23,
>>>> lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
>>>> source=flush, os.version=10.12.6,
>>>>
>> timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
>>>> 2019-09-10 19:16:02.312 WARN  (qtp875016237-24) [   ]
>>>> o.a.s.s.JWTAuthPlugin Authentication failed.
>>>>
>>>> On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <[hidden email]>
>>>> wrote:
>>>>
>>>>> Please check the error message in solr.log on the server side and paste
>>>>> that here. Could be a bug 🕷
>>>>>
>>>>> Jan Høydahl
>>>>>
>>>>>> 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <[hidden email]>:
>>>>>>
>>>>>> Jan using https://mkjwk.org/
>>>>>> I generated the following JWK
>>>>>>
>>>>>> {
>>>>>>
>>>>>> "kty": "oct",
>>>>>> "use": "sig",
>>>>>> "kid": "solr",
>>>>>> "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>> "alg": "HS256"
>>>>>> }
>>>>>>
>>>>>> So I put the generated JWK into my solr server security.json file like
>>>>> this
>>>>>>
>>>>>> {
>>>>>> "authentication": {
>>>>>>  "class":"solr.JWTAuthPlugin",
>>>>>>  "blockUnknown": true,
>>>>>>  "jwk" : {
>>>>>>        "kty": "oct",
>>>>>>        "use": "sig",
>>>>>>        "kid": "solr",
>>>>>>        "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>        "alg": "HS256"
>>>>>>      }
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> Then I went to https://jwt.io/ to generate the JWT using the value of
>>>>>> "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>
>>>>>> for the secret key
>>>>>>
>>>>>> My JWT header
>>>>>> {
>>>>>> "alg": "HS256",
>>>>>> "typ": "JWT"
>>>>>> }
>>>>>>
>>>>>> Payload
>>>>>>
>>>>>> {
>>>>>> "sub": "1234567890",
>>>>>> "name": "John Doe",
>>>>>> "iat": 1516239022
>>>>>> }
>>>>>>
>>>>>> Secret key
>>>>>>
>>>>>
>> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
>>>>>>
>>>>>> Which generates the following encoded JWT
>>>>>>
>>>>>
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
>>>>>>
>>>>>>
>>>>>> So I then tried to use the JWT encoded value in a curl command to Solr
>>>>>> as follows
>>>>>>
>>>>>> curl -H "Authorization: Bearer
>>>>>>
>>>>>
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
>>>>>> http://localhost:8983/solr/admin/info/system
>>>>>>
>>>>>> I get the error message
>>>>>>
>>>>>> <html>
>>>>>> <head>
>>>>>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>>>>>> <title>Error 401 JWT validation failed</title>
>>>>>> </head>
>>>>>> <body><h2>HTTP ERROR 401</h2>
>>>>>> <p>Problem accessing /solr/admin/info/system. Reason:
>>>>>> <pre>    JWT validation failed</pre></p>
>>>>>> </body>
>>>>>> </html>
>>>>>>
>>>>>>
>>>>>> Am I missing something in my security.json file ?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <[hidden email]>
>>>>> wrote:
>>>>>>>
>>>>>>> I think you are confusing JWK with the JWT token. JWK is only for
>>>>> defining
>>>>>>> the key, see https://mkjwk.org for an online JWK generator, you can
>>>>>>> choose HS256 as algorithm. Put the generated JWK in Solr's config and
>>>>> also
>>>>>>> use the generated key to sign your JWT. Then Solr should be able to
>>>>>>> validate the JWT.
>>>>>>>
>>>>>>> --
>>>>>>> Jan Høydahl, search solution architect
>>>>>>> Cominvent AS - www.cominvent.com
>>>>>>>
>>>>>>>> 10. sep. 2019 kl. 01:21 skrev Tyrone <[hidden email]>:
>>>>>>>>
>>>>>>>> Jan
>>>>>>>>
>>>>>>>> Can my jwk object be something like
>>>>>>>>
>>>>>>>> {alg": "HS256", "typ": "JWT",
>>>>>>>>
>>>>>>>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
>>>>>>>>
>>>>>>>> “k" : "secret-key"}
>>>>>>>>
>>>>>>>> Where k is the JWT secret key?
>>>>>>>>
>>>>>>>>
>>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <[hidden email]>
>>>>> wrote:
>>>>>>>>>
>>>>>>>>> In your security.json, add a JWK matching your signing algorithm,
>>>>> using
>>>>>>> the “jwk” JSON key.
>>>>>>>>>
>>>>>>>>> Example:
>>>>>>>>> “jwk” : { "kty" : "oct", "kid" :
>>>>>>> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
>>>>>>> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>>>>>>>>>
>>>>>>>>> Of course you need to find a way to encode your particular secret
>> in
>>>>>>> jwk format, there should be plenty of tools available for that. If
>> you
>>>>>>> intend to use symmetric key in prod you have to configure solr so
>> that
>>>>>>> security.json is not readable for anyone but the admin!
>>>>>>>>>
>>>>>>>>> Jan Høydahl
>>>>>>>>>
>>>>>>>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
>>>>>>>>>>
>>>>>>>>>> HS256
>>>>>>>
>>>>>>>
>>>>>
>>>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

Tyrone
Of course the secret key is just for my local development solr instance 🙄



> On Sep 19, 2019, at 10:35 PM, Dave <[hidden email]> wrote:
>
> I know this has nothing to do with the issue at hand but if you have a public facing solr instance you have much bigger issues.  
>
>> On Sep 19, 2019, at 10:16 PM, Tyrone Tse <[hidden email]> wrote:
>>
>> I finally got JWT Authentication working on Solr 8.1.1.
>> This is my security.json file contents
>> {
>>  "authentication":{
>>     "class":"solr.JWTAuthPlugin",
>>     "jwk":{
>>        "kty":"oct",
>>        "use":"sig",
>>        "kid":"k1",
>>
>> "k":"xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ",
>>        "alg":"HS256"
>>     },
>>     "aud":"Solr"
>>  },
>>  "authorization":{
>>     "class":"solr.RuleBasedAuthorizationPlugin",
>>     "permissions":[
>>        {
>>           "name":"open_select",
>>           "path":"/select/*",
>>           "role":null
>>        },
>>        {
>>           "name":"all-admin",
>>           "collection":null,
>>           "path":"/*",
>>           "role":"admin"
>>        },
>>        {
>>           "name":"update",
>>           "role":"solr-update"
>>        }
>>     ],
>>     "user-role":{
>>        "admin":"solr-update"
>>     }
>>  }
>> }
>>
>> I used the web site to generate the JWK key.
>>
>> So I am using the "k" value from the JWK to sign the JWT token.
>>
>> Initially, I used website
>> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>>
>> to generate the JWT and sign it with the value
>> xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ
>>
>> The header is
>> {
>> "alg": "HS256",
>> "typ": "JWT"
>> }
>>
>> and the payload is
>>
>> {
>> "sub": "admin",
>> "aud": "Solr",
>> "exp": 9916239022
>> }
>>
>> This generates the JWT key of
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6IlNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9._H1qeNvlpIOn3X9IpDG0QiRWnEDXITMhZm1NMfuocSc
>>
>> So when I use this JWT token generated https://jwt.io/  JWT authentication
>> is working, and I can authenticate as the user admin and Post data to the
>> Solr collections/cores.
>>
>> Now we have decided to get the JWT token generated using Java before we
>> authenticate as the user admin to Post data to Solr, and to have a
>> calculated expiration date
>>
>> Here is the Java Snippet for generating the JWT token
>>
>> import io.jsonwebtoken.Jwts;
>> import io.jsonwebtoken.SignatureAlgorithm;
>> ...
>> ...
>>           String
>> key="xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ";
>>           Calendar cal =Calendar.getInstance();
>>           Date issueAt = cal.getTime();
>>           cal.add(Calendar.MINUTE,60);
>>           Date expDate = cal.getTime();
>>           String jws = Jwts.builder().
>>               setSubject("admin")
>>               .setAudience("Solr")
>>               .setExpiration(expDate)
>>               .signWith(SignatureAlgorithm.HS256,key).compact();
>>           System.out.println(jws);
>>
>> This does not generate a valid JWT token, when I use it I am getting the
>> error message
>> <html>
>>
>> <head>
>>   <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
>>   <title>Error 401 Signature invalid</title>
>> </head>
>>
>> <body>
>>   <h2>HTTP ERROR 401</h2>
>>   <p>Problem accessing /solr/stores/update. Reason:
>>       <pre> Signature invalid</pre>
>>   </p>
>> </body>
>>
>> </html>
>>
>> I tried generating the JWT token using JavaScript from this codepen
>> https://codepen.io/tyrone-tse/pen/MWgzExB
>>
>> and it too generates an invalid JWT key.
>>
>> How come it works when the JWT is generated from
>> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>>
>>
>>
>>
>>
>>
>>
>>> On Sat, Sep 14, 2019 at 9:06 AM Jan Høydahl <[hidden email]> wrote:
>>>
>>> See answer in other thread. JWT works for 8.1 or later, don’t attempt it
>>> in 7.x.
>>>
>>> You could try to turn on debug logging for or.apache.solr.security to get
>>> more logging.
>>>
>>> Jan Høydahl
>>>
>>>> 13. sep. 2019 kl. 00:24 skrev Tyrone Tse <[hidden email]>:
>>>>
>>>> Jan
>>>>
>>>> I tried using the JWT Plugin https://github.com/cominvent/solr-auth-jwt
>>>>
>>>> If my security.json file is
>>>>
>>>> {
>>>> "authentication": {
>>>>  "class":"com.cominvent.solr.JWTAuthPlugin",
>>>>      "jwk" : {
>>>>              "kty": "oct",
>>>>              "use": "sig",
>>>>              "kid": "solr",
>>>>              "k":
>>>>
>>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>              "alg": "HS256"
>>>>              }
>>>> }
>>>> }
>>>>
>>>> And my JWT token has the properties Header {
>>>> "alg": "HS256",
>>>> "typ": "JWT"
>>>> } Payload {
>>>> "sub": "admin",
>>>> "name": "admin",
>>>> "iat": 1516239022
>>>> } What other parameters do I need to add to the security.json file to
>>>> secure Solr 7.2 ? I don't want anyone being able to access it without
>>> using
>>>>
>>>> curl -H "Authorization : Bearer <jwt-token>"
>>>> http://localhost:8983/solr/admin/info
>>>>
>>>>
>>>>
>>>> Thanks Tyrone
>>>>
>>>>
>>>>
>>>>> On Tue, Sep 10, 2019 at 2:18 PM Tyrone Tse <[hidden email]>
>>> wrote:
>>>>>
>>>>> All I could see in the solr.log was ( could it be the java version ?)
>>>>>
>>>>>
>>> main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
>>>>> Corporation, os=Mac OS X, java.version=1.8.0_60,
>>> java.vm.version=25.60-b23,
>>>>> lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
>>>>> source=flush, os.version=10.12.6,
>>>>>
>>> timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
>>>>> 2019-09-10 19:16:02.312 WARN  (qtp875016237-24) [   ]
>>>>> o.a.s.s.JWTAuthPlugin Authentication failed.
>>>>>
>>>>> On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <[hidden email]>
>>>>> wrote:
>>>>>
>>>>>> Please check the error message in solr.log on the server side and paste
>>>>>> that here. Could be a bug 🕷
>>>>>>
>>>>>> Jan Høydahl
>>>>>>
>>>>>>> 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <[hidden email]>:
>>>>>>>
>>>>>>> Jan using https://mkjwk.org/
>>>>>>> I generated the following JWK
>>>>>>>
>>>>>>> {
>>>>>>>
>>>>>>> "kty": "oct",
>>>>>>> "use": "sig",
>>>>>>> "kid": "solr",
>>>>>>> "k":
>>>>>>
>>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>> "alg": "HS256"
>>>>>>> }
>>>>>>>
>>>>>>> So I put the generated JWK into my solr server security.json file like
>>>>>> this
>>>>>>>
>>>>>>> {
>>>>>>> "authentication": {
>>>>>>> "class":"solr.JWTAuthPlugin",
>>>>>>> "blockUnknown": true,
>>>>>>> "jwk" : {
>>>>>>>       "kty": "oct",
>>>>>>>       "use": "sig",
>>>>>>>       "kid": "solr",
>>>>>>>       "k":
>>>>>>
>>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>>       "alg": "HS256"
>>>>>>>     }
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>> Then I went to https://jwt.io/ to generate the JWT using the value of
>>>>>>> "k":
>>>>>>
>>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>>
>>>>>>> for the secret key
>>>>>>>
>>>>>>> My JWT header
>>>>>>> {
>>>>>>> "alg": "HS256",
>>>>>>> "typ": "JWT"
>>>>>>> }
>>>>>>>
>>>>>>> Payload
>>>>>>>
>>>>>>> {
>>>>>>> "sub": "1234567890",
>>>>>>> "name": "John Doe",
>>>>>>> "iat": 1516239022
>>>>>>> }
>>>>>>>
>>>>>>> Secret key
>>>>>>>
>>>>>>
>>> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
>>>>>>>
>>>>>>> Which generates the following encoded JWT
>>>>>>>
>>>>>>
>>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
>>>>>>>
>>>>>>>
>>>>>>> So I then tried to use the JWT encoded value in a curl command to Solr
>>>>>>> as follows
>>>>>>>
>>>>>>> curl -H "Authorization: Bearer
>>>>>>>
>>>>>>
>>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
>>>>>>> http://localhost:8983/solr/admin/info/system
>>>>>>>
>>>>>>> I get the error message
>>>>>>>
>>>>>>> <html>
>>>>>>> <head>
>>>>>>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>>>>>>> <title>Error 401 JWT validation failed</title>
>>>>>>> </head>
>>>>>>> <body><h2>HTTP ERROR 401</h2>
>>>>>>> <p>Problem accessing /solr/admin/info/system. Reason:
>>>>>>> <pre>    JWT validation failed</pre></p>
>>>>>>> </body>
>>>>>>> </html>
>>>>>>>
>>>>>>>
>>>>>>> Am I missing something in my security.json file ?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <[hidden email]>
>>>>>> wrote:
>>>>>>>>
>>>>>>>> I think you are confusing JWK with the JWT token. JWK is only for
>>>>>> defining
>>>>>>>> the key, see https://mkjwk.org for an online JWK generator, you can
>>>>>>>> choose HS256 as algorithm. Put the generated JWK in Solr's config and
>>>>>> also
>>>>>>>> use the generated key to sign your JWT. Then Solr should be able to
>>>>>>>> validate the JWT.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Jan Høydahl, search solution architect
>>>>>>>> Cominvent AS - www.cominvent.com
>>>>>>>>
>>>>>>>>> 10. sep. 2019 kl. 01:21 skrev Tyrone <[hidden email]>:
>>>>>>>>>
>>>>>>>>> Jan
>>>>>>>>>
>>>>>>>>> Can my jwk object be something like
>>>>>>>>>
>>>>>>>>> {alg": "HS256", "typ": "JWT",
>>>>>>>>>
>>>>>>>>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
>>>>>>>>>
>>>>>>>>> “k" : "secret-key"}
>>>>>>>>>
>>>>>>>>> Where k is the JWT secret key?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Sent from my iPhone
>>>>>>>>>
>>>>>>>>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <[hidden email]>
>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> In your security.json, add a JWK matching your signing algorithm,
>>>>>> using
>>>>>>>> the “jwk” JSON key.
>>>>>>>>>>
>>>>>>>>>> Example:
>>>>>>>>>> “jwk” : { "kty" : "oct", "kid" :
>>>>>>>> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
>>>>>>>> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>>>>>>>>>>
>>>>>>>>>> Of course you need to find a way to encode your particular secret
>>> in
>>>>>>>> jwk format, there should be plenty of tools available for that. If
>>> you
>>>>>>>> intend to use symmetric key in prod you have to configure solr so
>>> that
>>>>>>>> security.json is not readable for anyone but the admin!
>>>>>>>>>>
>>>>>>>>>> Jan Høydahl
>>>>>>>>>>
>>>>>>>>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
>>>>>>>>>>>
>>>>>>>>>>> HS256
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>
>>>
Reply | Threaded
Open this post in threaded view
|

Re: Sample JWT Solr configuration

Jan Høydahl / Cominvent
In reply to this post by Tyrone Tse
HS256 is symmetric, so signing with the shared key should be all you need. I don't see what you did wrong. Perhaps a space has sneaked in somewhere in the key or how you copy it is not pure ascii? I'd encourage you to try evaluating the token you build in Java or Javascript using the online tooling or in a local Java POC outside of Solr, and see if you can find the bug.
Most of the testing inside of Solr uses public/private keys but that should be transparent as long as the JWK object you use is correct.

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 20. sep. 2019 kl. 04:16 skrev Tyrone Tse <[hidden email]>:
>
> I finally got JWT Authentication working on Solr 8.1.1.
> This is my security.json file contents
> {
>   "authentication":{
>      "class":"solr.JWTAuthPlugin",
>      "jwk":{
>         "kty":"oct",
>         "use":"sig",
>         "kid":"k1",
>
> "k":"xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ",
>         "alg":"HS256"
>      },
>      "aud":"Solr"
>   },
>   "authorization":{
>      "class":"solr.RuleBasedAuthorizationPlugin",
>      "permissions":[
>         {
>            "name":"open_select",
>            "path":"/select/*",
>            "role":null
>         },
>         {
>            "name":"all-admin",
>            "collection":null,
>            "path":"/*",
>            "role":"admin"
>         },
>         {
>            "name":"update",
>            "role":"solr-update"
>         }
>      ],
>      "user-role":{
>         "admin":"solr-update"
>      }
>   }
> }
>
> I used the web site to generate the JWK key.
>
> So I am using the "k" value from the JWK to sign the JWT token.
>
> Initially, I used website
> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>
> to generate the JWT and sign it with the value
> xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ
>
> The header is
> {
>  "alg": "HS256",
>  "typ": "JWT"
> }
>
> and the payload is
>
> {
>  "sub": "admin",
>  "aud": "Solr",
>  "exp": 9916239022
> }
>
> This generates the JWT key of
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6IlNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9._H1qeNvlpIOn3X9IpDG0QiRWnEDXITMhZm1NMfuocSc
>
> So when I use this JWT token generated https://jwt.io/  JWT authentication
> is working, and I can authenticate as the user admin and Post data to the
> Solr collections/cores.
>
> Now we have decided to get the JWT token generated using Java before we
> authenticate as the user admin to Post data to Solr, and to have a
> calculated expiration date
>
> Here is the Java Snippet for generating the JWT token
>
> import io.jsonwebtoken.Jwts;
> import io.jsonwebtoken.SignatureAlgorithm;
> ...
> ...
>            String
> key="xbQNocUhLJKSmGi0Qp_4hAVfls9CWH5WoTrw543WTXi5H6G-AXFlHRaTKWoGZtLKAD9jn6-MFC49jvR3bJI2L_H9a3yeRgd3tMkhxcR7ABsnhFz2WutN7NSZHiAxCJzTxR8YsgzMM9SXjvp6H1xpNWALdi67YIogKFTLiUIRDtdp3xBJxMP9IQlSYxK4ov81lt4hpAhSdkfpeczgRGd2xxrMbN38uDqtoIXSPRX-7d3pf1YvlyzWKHudTz30sjM6R2h-RRDBOp-SK_tDq4vjG72DyqFYt7BRyzSzrxGl-Ku5yURr21u6vep6suWeJ2_fmA8hgd304e60DBKZoFebxQ";
>            Calendar cal =Calendar.getInstance();
>            Date issueAt = cal.getTime();
>            cal.add(Calendar.MINUTE,60);
>            Date expDate = cal.getTime();
>            String jws = Jwts.builder().
>                setSubject("admin")
>                .setAudience("Solr")
>                .setExpiration(expDate)
>                .signWith(SignatureAlgorithm.HS256,key).compact();
>            System.out.println(jws);
>
> This does not generate a valid JWT token, when I use it I am getting the
> error message
> <html>
>
> <head>
>    <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
>    <title>Error 401 Signature invalid</title>
> </head>
>
> <body>
>    <h2>HTTP ERROR 401</h2>
>    <p>Problem accessing /solr/stores/update. Reason:
>        <pre> Signature invalid</pre>
>    </p>
> </body>
>
> </html>
>
> I tried generating the JWT token using JavaScript from this codepen
> https://codepen.io/tyrone-tse/pen/MWgzExB
>
> and it too generates an invalid JWT key.
>
> How come it works when the JWT is generated from
> https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.rqMpVpTSbNUHDA7VLSYUpv4ebeMjvwQMD6hwMDpvcBQ
>
>
>
>
>
>
>
> On Sat, Sep 14, 2019 at 9:06 AM Jan Høydahl <[hidden email]> wrote:
>
>> See answer in other thread. JWT works for 8.1 or later, don’t attempt it
>> in 7.x.
>>
>> You could try to turn on debug logging for or.apache.solr.security to get
>> more logging.
>>
>> Jan Høydahl
>>
>>> 13. sep. 2019 kl. 00:24 skrev Tyrone Tse <[hidden email]>:
>>>
>>> Jan
>>>
>>> I tried using the JWT Plugin https://github.com/cominvent/solr-auth-jwt
>>>
>>> If my security.json file is
>>>
>>> {
>>> "authentication": {
>>>   "class":"com.cominvent.solr.JWTAuthPlugin",
>>>       "jwk" : {
>>>               "kty": "oct",
>>>               "use": "sig",
>>>               "kid": "solr",
>>>               "k":
>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>               "alg": "HS256"
>>>               }
>>> }
>>> }
>>>
>>> And my JWT token has the properties Header {
>>> "alg": "HS256",
>>> "typ": "JWT"
>>> } Payload {
>>> "sub": "admin",
>>> "name": "admin",
>>> "iat": 1516239022
>>> } What other parameters do I need to add to the security.json file to
>>> secure Solr 7.2 ? I don't want anyone being able to access it without
>> using
>>>
>>> curl -H "Authorization : Bearer <jwt-token>"
>>> http://localhost:8983/solr/admin/info
>>>
>>>
>>>
>>> Thanks Tyrone
>>>
>>>
>>>
>>>> On Tue, Sep 10, 2019 at 2:18 PM Tyrone Tse <[hidden email]>
>> wrote:
>>>>
>>>> All I could see in the solr.log was ( could it be the java version ?)
>>>>
>>>>
>> main{ExitableDirectoryReader(UninvertingDirectoryReader(Uninverting(_0(8.2.0):C1:[diagnostics={java.vendor=Oracle
>>>> Corporation, os=Mac OS X, java.version=1.8.0_60,
>> java.vm.version=25.60-b23,
>>>> lucene.version=8.2.0, os.arch=x86_64, java.runtime.version=1.8.0_60-b27,
>>>> source=flush, os.version=10.12.6,
>>>>
>> timestamp=1568127993644}]:[attributes={Lucene50StoredFieldsFormat.mode=BEST_SPEED}])))}
>>>> 2019-09-10 19:16:02.312 WARN  (qtp875016237-24) [   ]
>>>> o.a.s.s.JWTAuthPlugin Authentication failed.
>>>>
>>>> On Tue, Sep 10, 2019 at 12:38 PM Jan Høydahl <[hidden email]>
>>>> wrote:
>>>>
>>>>> Please check the error message in solr.log on the server side and paste
>>>>> that here. Could be a bug 🕷
>>>>>
>>>>> Jan Høydahl
>>>>>
>>>>>> 10. sep. 2019 kl. 18:51 skrev Tyrone Tse <[hidden email]>:
>>>>>>
>>>>>> Jan using https://mkjwk.org/
>>>>>> I generated the following JWK
>>>>>>
>>>>>> {
>>>>>>
>>>>>> "kty": "oct",
>>>>>> "use": "sig",
>>>>>> "kid": "solr",
>>>>>> "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>> "alg": "HS256"
>>>>>> }
>>>>>>
>>>>>> So I put the generated JWK into my solr server security.json file like
>>>>> this
>>>>>>
>>>>>> {
>>>>>> "authentication": {
>>>>>>  "class":"solr.JWTAuthPlugin",
>>>>>>  "blockUnknown": true,
>>>>>>  "jwk" : {
>>>>>>        "kty": "oct",
>>>>>>        "use": "sig",
>>>>>>        "kid": "solr",
>>>>>>        "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>        "alg": "HS256"
>>>>>>      }
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> Then I went to https://jwt.io/ to generate the JWT using the value of
>>>>>> "k":
>>>>>
>> "pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ",
>>>>>>
>>>>>> for the secret key
>>>>>>
>>>>>> My JWT header
>>>>>> {
>>>>>> "alg": "HS256",
>>>>>> "typ": "JWT"
>>>>>> }
>>>>>>
>>>>>> Payload
>>>>>>
>>>>>> {
>>>>>> "sub": "1234567890",
>>>>>> "name": "John Doe",
>>>>>> "iat": 1516239022
>>>>>> }
>>>>>>
>>>>>> Secret key
>>>>>>
>>>>>
>> pIpVnjhuAj9DBg8e2lwya7o_uZMM3Wqo2eK0uchOza0vBS-orZNYTkLcHTLXF9JaCBR08tWfFEWVPENF6sXKuaj8Mn65Kc3QUmS-csblVvjj69dXk2Mi-Zs2iDDM3QyyvdiyRpfxE-xKwwjhU47xs7M0Dq69I1UE5nrFkczLf9qe3b47ha3eBQDm1_zg8EVwxadJ7gfQ97jn2MtT6hHrts9YD6_Z_heAdYC2QYjBBIdEXzZgHSKqmPNNhDvAChF9AfmNiUlfAG_g0jMMLKYEUv6ck3KJA6A1JBq1iEstjvF7hchFgdgyVRCR5P8UM6n6Hb0YrHjjANyEYIZD9mFfBQ
>>>>>>
>>>>>> Which generates the following encoded JWT
>>>>>>
>>>>>
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44
>>>>>>
>>>>>>
>>>>>> So I then tried to use the JWT encoded value in a curl command to Solr
>>>>>> as follows
>>>>>>
>>>>>> curl -H "Authorization: Bearer
>>>>>>
>>>>>
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.ZdtjglSME79nlq5HJs0bUYiFkSlDKytKS07IMWz9o44"
>>>>>> http://localhost:8983/solr/admin/info/system
>>>>>>
>>>>>> I get the error message
>>>>>>
>>>>>> <html>
>>>>>> <head>
>>>>>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>>>>>> <title>Error 401 JWT validation failed</title>
>>>>>> </head>
>>>>>> <body><h2>HTTP ERROR 401</h2>
>>>>>> <p>Problem accessing /solr/admin/info/system. Reason:
>>>>>> <pre>    JWT validation failed</pre></p>
>>>>>> </body>
>>>>>> </html>
>>>>>>
>>>>>>
>>>>>> Am I missing something in my security.json file ?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Tue, Sep 10, 2019 at 5:30 AM Jan Høydahl <[hidden email]>
>>>>> wrote:
>>>>>>>
>>>>>>> I think you are confusing JWK with the JWT token. JWK is only for
>>>>> defining
>>>>>>> the key, see https://mkjwk.org for an online JWK generator, you can
>>>>>>> choose HS256 as algorithm. Put the generated JWK in Solr's config and
>>>>> also
>>>>>>> use the generated key to sign your JWT. Then Solr should be able to
>>>>>>> validate the JWT.
>>>>>>>
>>>>>>> --
>>>>>>> Jan Høydahl, search solution architect
>>>>>>> Cominvent AS - www.cominvent.com
>>>>>>>
>>>>>>>> 10. sep. 2019 kl. 01:21 skrev Tyrone <[hidden email]>:
>>>>>>>>
>>>>>>>> Jan
>>>>>>>>
>>>>>>>> Can my jwk object be something like
>>>>>>>>
>>>>>>>> {alg": "HS256", "typ": "JWT",
>>>>>>>>
>>>>>>>> "sub": "1234567890", "name": "John Doe", "iat": 1516239022,
>>>>>>>>
>>>>>>>> “k" : "secret-key"}
>>>>>>>>
>>>>>>>> Where k is the JWT secret key?
>>>>>>>>
>>>>>>>>
>>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>>> On Sep 9, 2019, at 1:48 AM, Jan Høydahl <[hidden email]>
>>>>> wrote:
>>>>>>>>>
>>>>>>>>> In your security.json, add a JWK matching your signing algorithm,
>>>>> using
>>>>>>> the “jwk” JSON key.
>>>>>>>>>
>>>>>>>>> Example:
>>>>>>>>> “jwk” : { "kty" : "oct", "kid" :
>>>>>>> "0afee142-a0af-4410-abcc-9f2d44ff45b5", "alg" : "HS256", "k" :
>>>>>>> "FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ" }
>>>>>>>>>
>>>>>>>>> Of course you need to find a way to encode your particular secret
>> in
>>>>>>> jwk format, there should be plenty of tools available for that. If
>> you
>>>>>>> intend to use symmetric key in prod you have to configure solr so
>> that
>>>>>>> security.json is not readable for anyone but the admin!
>>>>>>>>>
>>>>>>>>> Jan Høydahl
>>>>>>>>>
>>>>>>>>>> 9. sep. 2019 kl. 05:46 skrev Tyrone <[hidden email]>:
>>>>>>>>>>
>>>>>>>>>> HS256
>>>>>>>
>>>>>>>
>>>>>
>>>>
>>