Use jwt_auth behind an AWS ALB

[sd65]

trafficstars

Hello,

I'm trying to use this plugin to authorize requests behind an AWS ALB. Actually this load-balancer adds an X-Amzn-Oidc-Data header containing an JWT token. Unfortunately, I can't make this work. I think it should work because you mention "Google Cloud IAP signed headers" that works exactly the same.

One can not access the JWT secret, or what you call signature_key. The best AWS ALB can provide (as GCP IAP) is public keys for the kid (see here). Like:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV2/rLhXWkZ29iaHCXiRNzy8MPN1x
NCrp0UZX4cxhj+A20bvViURRiyOtbBv+ah98xy6npBY5ibt0jg9WDZoKoA==
-----END PUBLIC KEY-----

Is this supposed to work? If yes, how ? Thanks in advance

[sscarduzio]

Hi @sd65, Currently this is a missing capability of the JWT connector. The good news is that if you are familiar with Java crypto API you don't need Elasticsearch or ROR specific knowledge to add it.

I personally gave it a shot one day, couldn't find how to do it in an hour, so I preempted to other priorities of the project.

Would you evaluate the opportunity to create a PR for extending JWT rule? Now that I think about we could take inspiration from the AWS Java SDK and see how they create the JWT. Relevant code bit:

https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin/blob/master/core/src/main/java/tech/beshu/ror/acl/blocks/rules/impl/JwtAuthSyncRule.java#L86

/cc @elaPa & Alessandro :-)