JWT authentication for Kibana

Potapyc · April 2, 2021, 1:03pm

Hi, I am new to Opendistro and I am trying to set up the jwt authentication mode for Kibana.
In my config.yml i have:

Blockquote
jwt_auth_domain:
enabled: true
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "oeRaYY7Wo24sDqKSX3IM9ASGmdGPmkTd9jo1QTy4b7P9Ze5_9hKolVX8xNrQDcNRfVEdTZNOuOyqEGhXEbdJI-ZQ19k_o9MI0y3eZN2lp9jow55FfXMiINEdt1XR85VipRLSOkT6kSpzs2x-jbLDiz9iFVzkd81YKxMgPA7VfZeQUm4n-mOmnWMaVX30zGFU4L3oPBctYKkl4dYfqY>
jwt_header: “Authorization”
jwt_url_parameter: null
roles_key: “roles”
subject_key: “sub”
authentication_backend:
type: noop

The kibana.yml is:

Blockquote
server.name: kibana
server.host: “0”
elasticsearch.hosts: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]
opendistro_security.auth.type: “jwt”
opendistro_security.cookie.secure: false
newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
security.showInsecureClusterWarning: false

Finally, i executed a GET request with Postman to my client after generating a valid access token and I got the following error:

{

"statusCode": 401,

"error": "Unauthorized",

"message": "Authentication error"

}

Can anyone please help me? Thank you

Anthony · April 8, 2021, 10:49am

Hi @Potapyc can you please confirm that the value in signing_key (in config.yml) is base64 encoded. Can you please also check if you are missing closing quotations marks in signing_key.

If this is all in order, can you confirm that the JWT includes a role under “roles” which is mapped in odfe via roles mapping. For testing purposes I’d recommend to put role as admin in jwt as this will be automatically mapped to admin with full access (assuming this part of odfe was not changed). Also make sure the expiration timestamps are valid in JWT.

Potapyc · April 14, 2021, 2:36pm

Hi @Anthony, thank you for taking the time to answer and sorry for the delay :-).
Yes, I have verified that the signing_key is base64 encoded and I’m not missing quotation marks.
As for the JWT, here is the unencoded JSON of the payload:

{
“roles”: “admin”,
“iss”: “http://localhost”,
“sub”: “admin”,
“exp”: 1618493640
}

So, following your suggestion, I have the admin role under “roles”. However I keep getting the same error:

{ “statusCode”: 401, “error”: “Unauthorized”, “message”: “Authentication Exception” }

I should also mention that my OpenDistro version is 1.13.1 and that I am following this guide to set up the configuration:

Use JSON Web Tokens (JWTs) to Authenticate in Open Distro for Elasticsearch and Kibana | AWS Open Source Blog (amazon.com)

It is not clear to me from your answer whether I need to make changes to the roles_mapping.yml, which until now I have not modified. Perhaps the roles mapping is not done correctly?
Thanks again for your help

Topic		Replies	Views
Issue with login to kibana through JWT Security	1	1075	March 11, 2020
Creating Users and Authenticating using JWT Tokens Security	1	782	May 10, 2021
Login to kibana through JWT Security	17	9262	March 11, 2020
Jwt authentication stopped working after update Security	3	585	February 24, 2021
Оpendistro-security with ELK (basic license) Open Source Elasticsearch and Kibana	2	1118	March 26, 2021

JWT authentication for Kibana

Related topics