After unlocking JWT tokens on restHeart, I cannot access resources.
Expected behavior
I don't know if I understand the operation of JWT tokens on restHeart correctly. But here's the thing: I have a certain collection and I have the ability to view its values through restHeart. I want that after enabling JWT tokens, only authenticated people can view the contents.
Current behavior
Querying by postman this collection, adding Authorization -> JWT Bearere Token to the query:
{
"usernameClaim" : "sub",
"roles": ["admin" ],
"issuer": "myIssuer",
"audience": "myAudience"
}
403- prohibited, if I select /tokens I get 401
Context
Token authorization during the query (possibly how to do token assignment, but how to do it)
I have a database, and in it userList collections. I want the TokenJWT to be assigned after successful authentication, and access to further resources. I initially wrote myself a server in express.js (with endpoints: /login, /auth but I don't know if it could be done with just restHeart).I don't know what the generated token on my express server should look like. So that it gives me the right to browse resources in restHeart. I don't fully understand the configuration of this jwtAuthenticationMechanism, specifically these values:
`usernameClaim: sub
rolesClaim: roles
fixedRoles:
# - admin
issuer: myIssuer
audience: myAudience`
Mainly: usernameClaim and rolesClaim. Are these optional values? I don't see these properties in the JWT documentation. Are these values ​​validated in any way? Do they just have to be? If my problem is simple, then I apologize. I'm new to RestHeart and I don't really understand the documentation there.
Environment
RESTHeart: 6.3 MongoDB: 4.418 Linux Ubuntu 22.04
.jwtAuthenticationMechanism:
enabled: true
algorithm: HS256
key: jwt_secret_key
base64Encoded: false
usernameClaim: sub
rolesClaim: roles
fixedRoles:
# - admin
issuer: myIssuer
audience: myAudience
(same answer on related github issue https://github.com/SoftInstigate/restheart/issues/492 that also contains instructions on how to issue JWTs with RESTHeart)
Your JWT is wrong, it does not contain the
sub
claim and the issuer claim shoulb beiss
:See more on claims at https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims
Should be something like:
You can generate a valid JWT at jwto.io
example (with HS256 and key
jwt_secret_key
:Here is a test:
create a conf override file called conf.yml
(please set
audience: null
since I found a bug in the configuration parser, will be fixed in 7.6.4)run RESTHeart with:
And the request (I use httpie here) is authenticated (and authorized due to the role
admin
)!