JWT settings not working

[vd2org]

Broken JWT settings in *.ini file.

Description

I'm trying to config couch to accept different hmac-keys depended on their names but it not work as described in documentation. Only _default key is accepting and any other is ignoring.

Steps to Reproduce

Add following config options to ini-file:

[chttpd]
authentication_handlers = {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, jwt_authentication_handler}

[jwt_keys]
; hmac:_default = aGVsbG8= # base64-encoded form of "hello"
hmac:foo = aGVsbG8=

Try to perform request to server with key with sub=foo:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJraWQiOiJobWFjIiwiaWF0IjoxNTkyMTM0OTI1LCJleHAiOjE1OTUxMzQ5MjUsInN1YiI6ImZvbyJ9.tiGzT7VfUY_oIHK-bKUER6hH5sUFoJ4VVpiwR26qTew

Request will be rejected.

Expected Behaviour

Accepted request.

Your Environment

Official Docker image

• CouchDB version used: 3.1
• Operating system and version: Docker under Linux

[PhamMinhNgoc]

it's working with me, i use docker image for this. you can try:

1. i config jwt secret key in file default.ini
   

2. config authentication handler in file path: /opt/couchdb/default.d/*.ini

authentication_handlers = {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, jwt_authentication_handler}

you can use more than one secret key, if only one, "kid" attribute will indicate the key you use to validate that jwt code is valid or you can use the default key.

hmac: _default = aGVsbG8=
The sub attribute indicates who you are authenticating.

3. restart couchdb and try again.
   Result:
   

my jwt token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEiLCJleHAiOjE1OTI2MTEyMDB9.Y9jNgSeSBl54V2MHg1hXhivyZsdXTeiAVJR2DSlF6LQ

hope help you!

[ronnievsmith]

Did you intend for there to be a space after the hmac:? Seems like it should be hmac:_default?

hmac: _default = aGVsbG8=

I have below configured in etc/default.ini

HS256_default = -----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w...
hmac:mykey = -----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhki...
hmac:_default = -----BEGIN PUBLIC KEY-----\nMIIBIjANBgk...

I keep getting

HTTP/1.1 500

cache-control: must-revalidate
content-length: 63
content-type: application/json
server: CouchDB/3.3.2 (Erlang OTP/24)
x-couch-request-id: b3c74bdfe7
x-couchdb-body-time: 0


{
  "error": "duplicate_checks",
  "reason": "[alg]",
  "ref": 2610099322
}

[vd2org]

Not exactly the same situation. I talked about the sub field and the ability to use more than one JWT secret at a time.

To reproduce my case, you can rename _default paremeter in the config and see what happens.

[PhamMinhNgoc]

in your case, you can use multi scret key and alg (hmac or rsa):
hmac: foo= aGVsbG8=
hmac:bar= aGVsbG8y

and in jwt token, you need set kid attribute"kid":"foo" or "kid":"bar" on header token for using hmac secret key for the corresponding .
example:
token header:

"alg":"HS256"
"kid": "foo"
token payload:
{
"iat": 1592134925,
"exp": 1595134925,
"sub": "replace with your username in your database"
}

[vd2org]

Heh, you're right. I tried to put the kid field in the payload instead of the header.

Fine! It works well now!

Sorry to waste your time and thanks for the help!