Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support at+jwt Types in JWT Realm #119370

Open
ChrisSamo632 opened this issue Dec 30, 2024 · 1 comment
Open

Support at+jwt Types in JWT Realm #119370

ChrisSamo632 opened this issue Dec 30, 2024 · 1 comment
Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team

Comments

@ChrisSamo632
Copy link

Description

Some JWT providers (e.g. logto.io) only provie Access Token JWTs with a typ of at+jwt, but Elasticsearch currently only supports JWT types of JWT in the JWT Realm for authentication.

Attempting to connect with such Access Token JWTs in Elasticsearch results in:

Caused by java.lang.IllegalArgumentException: invalid jwt typ header; Caused by com.nimbusds.jose.proc.BadJOSEException: JOSE header typ (type) at+jwt not allowed

It may be that a custom JWT Decoder needs to be included in a SecurityFilterChain (or similar, depending upon how Elasticsearch implements such security), similar to the approach suggested for Spring applicaitons in https://github.com/logto-io/logto/blob/master/packages/console/src/assets/docs/guides/api-spring-boot/README.mdx
@ChrisSamo632 ChrisSamo632 added >enhancement needs:triage Requires assignment of a team area label labels Dec 30, 2024
This was referenced Dec 30, 2024
Open
Open
@ChrisSamo632 ChrisSamo632 changed the title Support at+jwt Types in JWT Realm Support at+jwt Types in JWT Realm Dec 30, 2024
@tvernum tvernum added :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) and removed needs:triage Requires assignment of a team area label labels Dec 31, 2024
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Dec 31, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tvernum @ChrisSamo632 @elasticsearchmachine