JWT in RestHeart

Question

.

After unlocking JWT tokens on restHeart, I cannot access resources.

Expected behavior

I don't know if I understand the operation of JWT tokens on restHeart correctly. But here's the thing: I have a certain collection and I have the ability to view its values through restHeart. I want that after enabling JWT tokens, only authenticated people can view the contents.

Current behavior

Querying by postman this collection, adding Authorization -> JWT Bearere Token to the query:

{
  "usernameClaim" : "sub",
  "roles": ["admin" ],
  "issuer": "myIssuer",
  "audience": "myAudience"
}

403- prohibited, if I select /tokens I get 401

Context

Token authorization during the query (possibly how to do token assignment, but how to do it)

I have a database, and in it userList collections. I want the TokenJWT to be assigned after successful authentication, and access to further resources. I initially wrote myself a server in express.js (with endpoints: /login, /auth but I don't know if it could be done with just restHeart).I don't know what the generated token on my express server should look like. So that it gives me the right to browse resources in restHeart. I don't fully understand the configuration of this jwtAuthenticationMechanism, specifically these values:

`usernameClaim: sub
    rolesClaim: roles
    fixedRoles:
# - admin
    issuer: myIssuer
    audience: myAudience`

Mainly: usernameClaim and rolesClaim. Are these optional values? I don't see these properties in the JWT documentation. Are these values ​​validated in any way? Do they just have to be? If my problem is simple, then I apologize. I'm new to RestHeart and I don't really understand the documentation there.

Environment

RESTHeart: 6.3 MongoDB: 4.418 Linux Ubuntu 22.04

.

jwtAuthenticationMechanism:
    enabled: true
    algorithm: HS256
    key: jwt_secret_key
    base64Encoded: false     
    usernameClaim: sub
    rolesClaim: roles
    fixedRoles:
# - admin
    issuer: myIssuer
    audience: myAudience

Answer 1

(same answer on related github issue https://github.com/SoftInstigate/restheart/issues/492 that also contains instructions on how to issue JWTs with RESTHeart)

Your JWT is wrong, it does not contain the sub claim and the issuer claim shoulb be iss:

sub (subject): Subject of the JWT (the user)

See more on claims at https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims

Should be something like:

{
  "sub" : "foo",
  "roles": ["admin"],
  "iss": "myIssuer"
}

You can generate a valid JWT at jwto.io

example (with HS256 and key jwt_secret_key :

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJmb28iLCJyb2xlcyI6WyJhZG1pbiJdLCJpc3MiOiJteUlzc3VlciJ9.l9gjP47grnMQSEpqcTb0HzD4XoSr3spErwJb9Alx9EI

Here is a test:

create a conf override file called conf.yml

(please set audience: null since I found a bug in the configuration parser, will be fixed in 7.6.4)

/jwtAuthenticationMechanism:
  enabled: true
  algorithm: HS256
  key: jwt_secret_key
  base64Encoded: false
  usernameClaim: sub
  rolesClaim: roles
  fixedRoles:
    # - manager
  issuer: myIssuer
  audience: null

run RESTHeart with:

$ java -jar restheart.jar -o conf.yml

And the request (I use httpie here) is authenticated (and authorized due to the role admin)!

$ http :8080/coll/_size Authorization:"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJmb28iLCJyb2xlcyI6WyJhZG1pbiJdLCJpc3MiOiJteUlzc3VlciJ9.l9gjP47grnMQSEpqcTb0HzD4XoSr3spErwJb9Alx9EI"

HTTP/1.1 200 OK

{
    "_size": 11415
}