Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT Authentication issues #126

Open
rswickedwayz opened this issue Jul 3, 2023 · 2 comments
Open

JWT Authentication issues #126

rswickedwayz opened this issue Jul 3, 2023 · 2 comments

Comments

@rswickedwayz
Copy link

rswickedwayz commented Jul 3, 2023
edited

Describe the bug
A clear and concise description of what the bug is.

I've been trying to enable JWT Authenitcation handler so an RSA token can be used to authenticate. I'm having difficulty getting this to work in my clustered couchdb environment.

Version of Helm and Kubernetes:
helm ver 4.2.1
Kubernetes v1.24

What happened:
I am trying to enable JWT authentication inside my values.yaml. It does not appear to be working. When I curl this it only returns cookie and default as the authentication handlers.

curl https://admin:[email protected]/_session

it returns this:
{"ok":true,"userCtx":{"name":"admin","roles":["_admin"]},"info":{"authentication_handlers":["cookie","default"],"authenticated":"default"}}

Entries inside values.yaml were placed under couchdbConfig.
couchdbConfig:
couchdb:
authentication_handlers: "{chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}"
jwt_authentication_handler:
rsa_public_key: "/couchdb/couchdb_public_key.pem"

What you expected to happen:

I expect it to return jwt as one of the authentication_handlers.
{"ok":true,"userCtx":{"name":"admin","roles":["_admin"]},"info":{"authentication_handlers":["cookie","jwt","default"],"authenticated":"default"}}

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:
@willholley
Copy link
Member

@rswickedwayz as per https://docs.couchdb.org/en/stable/api/server/authn.html#jwt-authentication, you need to set the authentication_handlers setting under the chttpd and jwt_keys section of the config. For the public key, I believe you need to provide the value of the pem key with newlines replaced with the escape sequence \n, rather than a path to the key.

For example:

couchdbConfig:
   chttpd:
      authentication_handlers: "{chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}"
   jwt_keys:
      "rsa:foo": "-----BEGIN PUBLIC KEY-----\nMIIBIjAN...IDAQAB\n-----END PUBLIC KEY-----\n"

If this doesn't work, check the ini file in the configmap created by the Helm chart. It's possible that authentication_handlers isn't rendered correctly because CouchDB expects an Erlang term rather than a string for the value.

@jsenzier-oxeva
Copy link

jsenzier-oxeva commented Jan 22, 2024
edited

I found this syntax which seems to work :

couchdbConfig:
   chttpd:
      authentication_handlers: "{chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}"
   jwt_keys:
      'rsa:foo': >
         "-----BEGIN PUBLIC KEY-----\nMIIBIjAN...IDAQAB\n-----END PUBLIC KEY-----\n"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@willholley @rswickedwayz @jsenzier-oxeva