JWT RSA Public Key - ERR: while scanning a simple key

Hello,

I am trying to configure JWT based authentication as per the instructions outlined here: https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/configuration/

The documentation states that the syntax for the “/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml” file to use an RSA public key is as follows:

jwt_auth_domain:
  ...
    config:
      signing_key: |-
        -----BEGIN PUBLIC KEY-----
        MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQK...
        -----END PUBLIC KEY-----
      ...

When however I try to run securityadmin.sh, i receive the following error:

ERR: Seems ../securityconfig/config.yml is not in Open Distro Security 7 format: com.fasterxml.jackson.dataformat.yaml.snakeyaml.error.MarkedYAMLException: while scanning a simple key
 in 'reader', line 132, column 1:
    -----BEGIN PUBLI
    ^

My JWT auth configuration in "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml " is as follows:

      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: |-
-----BEGIN PUBLIC KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA
-----END PUBLIC KEY-----
            jwt_header: "Authorization"
            jwt_url_parameter: "jwtToken"
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop

To confirm, the:

AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA

is my a redaction of my valid RSA public key for the purposes of this comment. :slight_smile:

When I add a BASE64 encoded secret in lieu of of the RSA key (example below), it takes fine but I need to use RS256.

config:
            signing_key: "secret_key"

Is there an error in my Syntax? I’ve been head scratching for hours but cannot get the config.yml file to take with an RSA key. I tried putting the key on one line with “\n” as line breaks although the error persisted. Any help/advice would be greatly appreciated!

Many thanks :smiley:
Major

Right, So i’ve solved my own issue which was embarrassingly simple :blush:

I’ll share my troubleshooting to resolution for anybody else has this issue:

Turns out my indentation was incorrect in the .yml file. By amending to the following, the securityadmin.sh script completed without error, in the console:

   jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: |-
              -----BEGIN PUBLIC KEY-----
              AAAAAAAAAAAAAAAAAAAAAAAAAAAA
              AAAAAAAAAAAAAAAAAAAAAAAAAAAA
              AAAAAAAAAAAAAAAAAAAAAAAAAAAA
              -----END PUBLIC KEY-----
            jwt_header: "Authorization"
            jwt_url_parameter: "jwtToken"
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop

There was however then an error in the elasticsearch.log file which is:

 Error creating JWT authenticator: io.jsonwebtoken.io.DecodingException: Illegal base64 character: '
'. JWT authentication will not work
io.jsonwebtoken.io.DecodingException: Illegal base64 character: '
'
        at io.jsonwebtoken.io.Base64.ctoi(Base64.java:206) ~[jjwt-api-0.10.5.jar:?]
        at io.jsonwebtoken.io.Base64.decodeFast(Base64.java:255) ~[jjwt-api-0.10.5.jar:?]
        at io.jsonwebtoken.io.Base64Decoder.decode(Base64Decoder.java:21) ~[jjwt-api-0.10.5.jar:?]
        at io.jsonwebtoken.io.Base64Decoder.decode(Base64Decoder.java:8) ~[jjwt-api-0.10.5.jar:?]
        at io.jsonwebtoken.io.ExceptionPropagatingDecoder.decode(ExceptionPropagatingDecoder.java:21) ~[jjwt-api-0.10.5.jar:?]
        at com.amazon.dlic.auth.http.jwt.HTTPJwtAuthenticator.<init>(HTTPJwtAuthenticator.java:76) [opendistro_security_advanced_modules-1.2.0.0.jar:1.2.0.0]
        at jdk.internal.reflect.GeneratedConstructorAccessor66.newInstance(Unknown Source) ~[?:?]
        at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
        at com.amazon.opendistroforelasticsearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:259) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.newInstance(DynamicConfigModelV7.java:334) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.buildAAA(DynamicConfigModelV7.java:251) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.<init>(DynamicConfigModelV7.java:60) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigFactory.onChange(DynamicConfigFactory.java:165) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.notifyAboutChanges(ConfigurationRepository.java:308) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.reloadConfiguration0(ConfigurationRepository.java:297) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.reloadConfiguration(ConfigurationRepository.java:280) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:126) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:58) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at org.elasticsearch.action.support.nodes.TransportNodesAction.nodeOperation(TransportNodesAction.java:129) [elasticsearch-7.2.0.jar:7.2.0]
        at org.elasticsearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:246) [elasticsearch-7.2.0.jar:7.2.0]
        at org.elasticsearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:242) [elasticsearch-7.2.0.jar:7.2.0]
        at com.amazon.opendistro.elasticsearch.performanceanalyzer.transport.PerformanceAnalyzerTransportRequestHandler.messageReceived(PerformanceAnalyzerTransportRequestHandler.java:43) [opendistro_performance_analyzer-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLRequestHandler.messageReceivedDecorate(OpenDistroSecuritySSLRequestHandler.java:164) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.transport.OpenDistroSecurityRequestHandler.messageReceivedDecorate(OpenDistroSecurityRequestHandler.java:163) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLRequestHandler.messageReceived(OpenDistroSecuritySSLRequestHandler.java:86) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin$7$1.messageReceived(OpenDistroSecurityPlugin.java:623) [opendistro_security-1.2.0.0.jar:1.2.0.0]
        at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:63) [elasticsearch-7.2.0.jar:7.2.0]
        at org.elasticsearch.transport.TransportService$7.doRun(TransportService.java:703) [elasticsearch-7.2.0.jar:7.2.0]
        at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:758) [elasticsearch-7.2.0.jar:7.2.0]
        at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.2.0.jar:7.2.0]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
        at java.lang.Thread.run(Thread.java:835) [?:?]

I was able to resolve this by removing the line breaks from the cert, for example:

   jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: |-
              -----BEGIN PUBLIC KEY-----
              AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
              -----END PUBLIC KEY-----
            jwt_header: "Authorization"
            jwt_url_parameter: "jwtToken"
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop

Afte making this amendment to the config.yml and rerunning the securityadmin.sh script, JWT authentication is working :smiley: