I would like to extend the existing JWT authentication to verify the token using the public key from a trusted certificate chain with the x5c JWS header parameter (see spec). Using the x5c is an alternative to specifying the public key either from “signing_key” or “jwks_uri”.
Is there a best practice for extending the security plugin to provide an implementation of HTTPAuthenticator to achieve this? The documentation did not specify extensions of the security plugin, apart from the Resource SPI, so I thought I’d ask here.
Configuration:
I have added this configuration to verify JWT from certificate chain in x5c, however this requires building a custom version of the security plugin.
authc:
jwt_auth:
description: "Authenticate and assign role using JWT."
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: jwt_x5c
challenge: false
config:
jwt_header: "Authorization"
subject_key: sub
roles_key: rls
required_issuer: appnode
required_audience: opensearch
authentication_backend:
type: noop
@tony.bargnesi The latest version of the security plugin doesn’t support token verification with x5c JWS header.
This authentication domain isn’t available.
authc.jwt_auth.http_authenticator.type: jwt_x5c
If you’d like to report a feature request, please open GitHub issue in the OpenSearch Security Plugin repository
If you do so, please share the GitHub link here.
The jwt_x5c configuration was an example of my custom HTTPAuthenticator class added directly into the security plugin. I created a custom build of security plugin to achieve this and it worked well.
Ultimately, I’m wondering if there is a reasonable approach to add custom authentication into security plugin without having to build and maintain a custom version of the plugin. I’ve heard of one approach where custom classes are packaged into a JAR in main opensearch lib directory, then security plugin classloader should have access to it, but haven’t tried it.
I tried to add a custom JAR to /lib to see if the opensearch-security plugin would pick it up. Unfortunately it was unable to find the custom HTTPAuthenticator class likely due to explicit classloader visibility.
One approach that did work was to repackage the opensearch-security zip to include a custom JAR with an additional HTTPAuthenticator class. Then that class is available on the plugin classpath and everything works. This is slightly better than forking opensearch-security in that the repackaging uses the maven coordinate for the plugin ZIP file.
@tony.bargnesi I think your questions are valid for developers. If you don’t mind, please open a GitHub issue in the OpenSearch Security Plugin and address those questions there.