couchdb-helm icon indicating copy to clipboard operation
couchdb-helm copied to clipboard

Published 20 hours ago verified publisher icon apache

JWT Authentication issues

Open rswickedwayz opened this issue 1 year ago • 2 comments

Describe the bug A clear and concise description of what the bug is.

I've been trying to enable JWT Authenitcation handler so an RSA token can be used to authenticate. I'm having difficulty getting this to work in my clustered couchdb environment.

Version of Helm and Kubernetes: helm ver 4.2.1 Kubernetes v1.24

What happened: I am trying to enable JWT authentication inside my values.yaml. It does not appear to be working. When I curl this it only returns cookie and default as the authentication handlers.

curl https://admin:[email protected]/_session

it returns this: {"ok":true,"userCtx":{"name":"admin","roles":["_admin"]},"info":{"authentication_handlers":["cookie","default"],"authenticated":"default"}}

Entries inside values.yaml were placed under couchdbConfig. couchdbConfig: couchdb: authentication_handlers: "{chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}" jwt_authentication_handler: rsa_public_key: "/couchdb/couchdb_public_key.pem"

What you expected to happen:

I expect it to return jwt as one of the authentication_handlers. {"ok":true,"userCtx":{"name":"admin","roles":["_admin"]},"info":{"authentication_handlers":["cookie","jwt","default"],"authenticated":"default"}}

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:

rswickedwayz avatar Jul 03 '23 15:07 rswickedwayz

@rswickedwayz as per https://docs.couchdb.org/en/stable/api/server/authn.html#jwt-authentication, you need to set the authentication_handlers setting under the chttpd and jwt_keys section of the config. For the public key, I believe you need to provide the value of the pem key with newlines replaced with the escape sequence \n, rather than a path to the key.

For example:

couchdbConfig:
   chttpd:
      authentication_handlers: "{chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}"
   jwt_keys:
      "rsa:foo": "-----BEGIN PUBLIC KEY-----\nMIIBIjAN...IDAQAB\n-----END PUBLIC KEY-----\n"

If this doesn't work, check the ini file in the configmap created by the Helm chart. It's possible that authentication_handlers isn't rendered correctly because CouchDB expects an Erlang term rather than a string for the value.

willholley avatar Jul 10 '23 13:07 willholley

I found this syntax which seems to work :

couchdbConfig:
   chttpd:
      authentication_handlers: "{chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}"
   jwt_keys:
      'rsa:foo': >
         "-----BEGIN PUBLIC KEY-----\nMIIBIjAN...IDAQAB\n-----END PUBLIC KEY-----\n"

jsenzier-oxeva avatar Jan 22 '24 19:01 jsenzier-oxeva