JWT Realm configuration for Elasticsearch REST APIs authentication

asimelastic · May 31, 2023, 9:36am

I am new to Elasticsearch JWT Realm configuration.

I am using trail version of Elasticsearch 8.7.1. I am configuring JWT Realm as follows in elasticsearch.yml

xpack.security.authc.realms.jwt.jwt1:
order: 1
token_type: access_token
client_authentication.type: shared_secret
allowed_issuer: "issuer"
allowed_subjects: [ "subject" ]
allowed_audiences: [ "elasticsearch" ]
required_claims:
token_use: access
version: ["1.0", "2.0"]
allowed_signature_algorithms: [RS256,HS256]
pkc_jwkset_path: ../config/secretkey.json
fallback_claims.sub: client_id
fallback_claims.aud: scope
claims.principal: sub

I am setting up shared secret using below command:
bin/elasticsearch-keystore add xpack.security.authc.realms.jwt.jwt1.client_authentication.shared_secret

Also saving HMAC keys using below command:
bin/elasticsearch-keystore add-file xpack.security.authc.realms.jwt.jwt1.hmac_jwkset

Content of my json file are as below:

{
"keys": [
{
"kty": "oct",
"use": "sig",
"kid": "0mwcVHMGsUCu8znizJR4jqD00OD6uNo27447s2Zj1Ss",
"k": "mry7QjXVIv13EUefZEdigdRFS2C8t5F1WTntaprvvS7JuHaulIsx5aPjgz9yFTYmftBAox8SkjR3E6FH8h9yIPaUEW8TI6U_Cknlvs9m9ecvpLBFzTWKofm5x9zihefNutQihjLvTKx-81JZYbsgvLwTJBwy0fBQ9I1aglj05ldQS2QS5D8xKSw4wZUKH9RmFo1JW7CnrkCkYeiOVq6fNgzML_8Kkje2xe3IBWsjef8MmbTrLi_Bs7VR9xmtX-z4KsQdYbBVPiP6N-_NGdNh2bzsPIqi3cnlc9uQhj-xgGqlCaJFI9hm1zM_f-fYUV40nG1T5HJc8B794OtxrBpMOA",
"alg": "HS256"
}
]
}

My question is after configuring JWT realm as mentioned above, now how and from where I can get JWT Token?

asimelastic · June 1, 2023, 11:38am

Anyone have any thoughts about this, thanks in advance.

TimV · June 3, 2023, 9:00am

The Elasticsearch JWT realm supports authenticating using JWTs generated by an external issuer. It doesn't not generate JWTs for you.

It is intended for use when you have an existing component in your infrastructure that issues JWT tokens to either users or services, and you want Elasticsearch to be able to authenticate using those JWTs rather than passwords (or any other credential).

asimelastic · June 5, 2023, 11:30am

@TimV Thank you so much.

One more question. Do Elasticsearch Basic License support JWT Realms?

Christian_Dahlqvist · June 5, 2023, 11:35am

The best place to consult around license level cover is the subscriptions page. According to this JWT is not supported with the Basic level license.

system · July 3, 2023, 11:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.