Stwissel opened a new issue, #5091:
URL: https://github.com/apache/couchdb/issues/5091
## Description
While trying to programmatically setup JWT authentication with a key derived
from a JWKS key, the update using
`PUT /_node/{node-name}/_config/jwt_keys/{key}` fails with an error (see
reproducer) when a valid key is provided, but works for arbitrary strings
## Steps to Reproduce
The reproducer uses a local container couch with admin/password and no
persistence configured, so it can easily be reproduced repeatedly.
step 1: create temp couchDB instance
```bash
docker run --rm --name testcouch -e COUCHDB_USER=admin -e
COUCHDB_PASSWORD=password -p 5984:5984 apache/couchdb:latest
```
step 2: create _user, replicator to silence the "_user" is missing in the
log (works)
```bash
curl --request PUT 'http://localhost:5984/_users' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ='
curl --request PUT 'http://localhost:5984/_replicator' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ='
```
both complete with HTTP 201 `{"ok":true}`
step 3: update the authentication methods
```bash
curl --request PUT
'http://localhost:5984/_node/_local/_config/chttpd/authentication_handlers' \
--header 'Content-Type: text/plain' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ=' \
--data '"{chttpd_auth, cookie_authentication_handler}, {chttpd_auth,
jwt_authentication_handler}, {chttpd_auth, default_authentication_handler}"'
```
Ends with HTTP **200** and `""` (seems to be the old value)
step 4a: check current jwt_keys configuration
```bash
curl 'http://localhost:5984/_node/nonode@nohost/_config/jwt_keys' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ='
```
Ends with http 200 and `{}` (as expected)
step 4b: Add JWT key ( that one fails)
```bash
curl --request PUT
'http://localhost:5984/_node/nonode@nohost/_config/jwt_keys/rsa:S1-oBDEUlMfN-FP5EeG6UcaKdeCs01_dx5AIw-SogiQ'
\
--header 'Content-Type: application/json' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ=' \
--data '"-----BEGIN PUBLIC
KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx9SJFyVWvBonL3K+giuzeQ4Vp1bH9ftu\nzjrtLMMBUWESQEMXsml7s58/8UOWQ40j71eu+63sLvCnLhcP9jmKI8vwofkMo91ulZn2ntKTsawJ\nmnrR7k1W5okbLlnwYq1KN3SRcjeHYa3JruoDmHHW9dO5dAGu09ookgWxYr2K1jXT1+L1NFOfBXqs\njFqr3a+ArMOg5POcg9I6lI9kmi8aOJgTfRydJbuUC8vtgc7rdHY4g7IdGlOM+LWdor23P16vzfVK\nGNDNbi072S0vzkt+Q/WLb9UuQi64wB3LxVLDfUKNg2OGJ6/ju1bZX+Fo02hG6lkMa2BO3CwmirGR\nLiWb4wIDAQAB\n-----END
PUBLIC KEY-----\n"'
```
Ends with http 400, `{"error":"bad_request","reason":"Invalid configuration
value"}` and no entry in `jwt_keys` created
## Expected Behaviour
End with http 20x and creation of jwt_key entry:
```bash
curl 'http://localhost:5984/_node/nonode@nohost/_config/jwt_keys' \
--header 'Authorization: Basic YWRtaW46cGFzc3dvcmQ='
```
to result in
```json
{
"rsa:S1-oBDEUlMfN-FP5EeG6UcaKdeCs01_dx5AIw-SogiQ": "-----BEGIN PUBLIC
KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx9SJFyVWvBonL3K+giuz\\neQ4Vp1bH9ftuzjrtLMMBUWESQEMXsml7s58/8UOWQ40j71eu+63sLvCnLhcP9jmK\\nI8vwofkMo91ulZn2ntKTsawJmnrR7k1W5okbLlnwYq1KN3SRcjeHYa3JruoDmHHW\\n9dO5dAGu09ookgWxYr2K1jXT1+L1NFOfBXqsjFqr3a+ArMOg5POcg9I6lI9kmi8a\\nOJgTfRydJbuUC8vtgc7rdHY4g7IdGlOM+LWdor23P16vzfVKGNDNbi072S0vzkt+\\nQ/WLb9UuQi64wB3LxVLDfUKNg2OGJ6/ju1bZX+Fo02hG6lkMa2BO3CwmirGRLiWb\\n4wIDAQAB\\n-----END
PUBLIC KEY-----\\n"
}
```
## additional test conducted
- PUT an arbitrary String as body -> get accepted (but is useless for JWT)
- tried the key rsa:_default -> same error 400
- manually edit /opt/couchdb/etc/local.d
```bash
cat << EOF > jwt.ini
[chttpd]
authentication_handlers = {chttpd_auth, cookie_authentication_handler},
{chttpd_auth, jwt_authentication_handler}, {chttpd_auth,
default_authentication_handler}
[jwt_keys]
rsa:S1-oBDEUlMfN-FP5EeG6UcaKdeCs01_dx5AIw-SogiQ = -----BEGIN PUBLIC
KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx9SJFyVWvBonL3K+giuz\neQ4Vp1bH9ftuzjrtLMMBUWESQEMXsml7s58/8UOWQ40j71eu+63sLvCnLhcP9jmK\nI8vwofkMo91ulZn2ntKTsawJmnrR7k1W5okbLlnwYq1KN3SRcjeHYa3JruoDmHHW\n9dO5dAGu09ookgWxYr2K1jXT1+L1NFOfBXqsjFqr3a+ArMOg5POcg9I6lI9kmi8a\nOJgTfRydJbuUC8vtgc7rdHY4g7IdGlOM+LWdor23P16vzfVKGNDNbi072S0vzkt+\nQ/WLb9UuQi64wB3LxVLDfUKNg2OGJ6/ju1bZX+Fo02hG6lkMa2BO3CwmirGRLiWb\n4wIDAQAB\n-----END
PUBLIC KEY-----\n
EOF
```
then restart couchdb, JWT auth works like a charm
## Your Environment
- Couch in a docker container on current macOS
- Chrome, current version
```json
{
"couchdb": "Welcome",
"version": "3.3.3",
"git_sha": "40afbcfc7",
"uuid": "0882075ae09fe0a7a70fb7c6c4a1f01e",
"features": [
"access-ready",
"partitioned",
"pluggable-storage-engines",
"reshard",
"scheduler"
],
"vendor": {
"name": "The Apache Software Foundation"
}
}
```
## Additional Context
The public key is derived from a jwks entry [found
here](https://frascati.projectkeep.io/.well-known/jwks.json) and converted
using [this project](https://github.com/beyonddemise/couchdb-idp-updater) with
the goal to allow automatic updates when IdP keys change
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
