I configured JWT authentication with “authentication_backend” intern:
config.yml (snippet) looks like this:
jwt_auth_domain:
description: "Authenticate via Json Web Token"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: |-
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
jwt_header: "Authorization"
jwt_url_parameter: null
roles_key: null
subject_key: null
authentication_backend:
type: intern
Authentication via a JSON Web Token works fine due to the configuration above.
In addition to auth via JWT, i also configured basic auth for user in the internal database.
My question is: Is it possible to authenticate internal user (created by user api) by using JWT?
In order to do this, i tried to configure “intern” as authentication_backend (see last part of jwt config snippet). This works as long as the code try to authenticate the user passed by jwt against internal user database using basic auth. Due to the fact that the JSON Web Tokens doesn’t contain the password within its payload, the authentication fails.
Any ideas for a workaround or any similar?
One hacky thing, i tried out, works like this: I build a “patch” of the opensearch-security plugin, where the InternalAuthenticationBackend doesn’t check the password, so the user (from json web token) can be authenticated against the internal user database and infos like roles and attributes can be fetched from the database.
I will try to present my idea or my intention more precisely:
System: Search Engine using OpenSearch
Each search request contains a json web token
Json web tokens are generated after authentication (e.g with ldap) by using a public/private key pair. Public key is configured in config.yml of opensearch security.
These json web tokens do not contain any information about user groups. Since the amount of groups in the system can become very large, i don’t want to store group infos within the token.
So after a search request is received by OpenSearch, the user is already authenticated, but the search engine does not have any informations about the (search) user’s groups which are
necessary for Document level security.
In order to get search user’s groups (for building query filters),
there will be an external separate service that provides user informations (groups) on demand. (This service is requesting directly the source systems, e.g ldap, …)
In order to avoid requesting the external service with each search request, user informations (groups) have to be cached!
The idea is to use the existing database for internal users for this purpose.
In oder to achieve this i configured JWT authentication with “authentication_backend” = intern in config.yml. (see my first post in this topic).
As i already mentioned, this works fine as long as the code try to authenticate the user passed by jwt against internal user database using basic auth.
Since jwt does not contain a password, the authentication fails.
So after having a deeper look in opensearch-security code, i see a possibility to implement my own custom “AuthenticationBackend”.
Any feedback or feelings concerning this way?
If I am implementing own features in opensearch-security, what would be the best (official) way to publish it?
Creating a pull request for opensearch-security?
Plugin of the opensearch-seucrity- plugin? Is this possible?
Any other?
Thanks for any kind of feedback, possible solutions and hints!
Hello @Oers - welcome to the OpenSearch community. Really interesting use case - I’ll pass this around with some of the developers to see if they have input.
