Cannot get custom JWT authentication to work #3185

mvilrokx · 2023-01-12T04:19:11Z

mvilrokx
Jan 12, 2023

Is the issue already present in https://github.com/cloudera/hue/issues or discussed in the forum https://discourse.gethue.com?
No

Describe the bug:
I am trying to get the custom JWT Authentication to work but I just cannot get it working.

I am using the Docker Guide and have configured my hue.ini file as per that guide, this is the relevant part:

  [[auth]]
    [[[jwt]]]
      is_enabled=true
      key_server_url=https://sso.common.cloud.hpe.com/pf/JWKS
      issuer=https://qa-sso.ccs.arubathena.com
      audience=triton-lite-user-auth

I can successfully start the docker containers (docker-compose up -d --build) and I can see in the Hue UI that this configuration is picked up by the application.

However, every time I try to call an API with a valid JWT the API returns an error, e.g.:

curl --location --request GET 'http://0.0.0.0:8888/api/connector/instances' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IlRFak8tZEJPbThxUDlqRUlxdVE5aXVKX09HTSIsInBpLmF0bSI6IjFmN28ifQ.eyJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiY2xpZW50X2lkIjoicGF2by11c2VyLWF1dGgiLCJpc3MiOiJodHRwczovL3Nzby5jb21tb24uY2xvdWQuaHBlLmNvbSIsImF1ZCI6ImF1ZCIsImxhc3ROYW1lIjoiVmlscm9reCIsInN1YiI6Im1hcmsudmlscm9reEBocGUuY29tIiwiYXV0aF9zb3VyY2UiOiJocGUiLCJnaXZlbk5hbWUiOiJNYXJrIiwiaWF0IjoxNjczMzg5OTQ0LCJleHAiOjE2NzMzOTcxNDR9.LnmHYCSQ8_njRn7YUrRI8pQX3dzoaQInH2zsSbfWn3ws2Ax3Nc8x1tKdAD45_N8tBpl8txbsShTnyAi7dU375B96m8UIn5rn4dTeWblRU0LEWyWhD72U0h2lUUoI3WKXnlYxW1ErlVd2hfhTtaOGb_SNBq7D4G5ETk9AdXSfm-0O6Jc0UiIV6389rWRZbmhFJ5FaWW-ZRIEAgSqo3D4pge7_AtgBxjcsdL5ySuVaps5J1omv0ZeXOad_cLa5MlBlDEKGFfbMXbxEBTfnomBK4ZmPLcSn96vkiseMtN-vwEtLRZPPHAlVFnI8pEbYe81wlOOZYewMfjWzo-8eSTBVfg' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'statement=SHOW TABLES'

{
"traceback": "  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/django/core/handlers/exception.py\", line 47, in inner\n    response = get_response(request)\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/django/core/handlers/base.py\", line 181, in _get_response\n    response = wrapped_callback(request, *callback_args, **callback_kwargs)\n\n  File \"/usr/lib/python3.8/contextlib.py\", line 75, in inner\n    return func(*args, **kwds)\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/django/views/decorators/csrf.py\", line 54, in wrapped_view\n    return view_func(*args, **kwargs)\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/django/views/generic/base.py\", line 70, in view\n    return self.dispatch(request, *args, **kwargs)\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py\", line 509, in dispatch\n    response = self.handle_exception(exc)\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py\", line 469, in handle_exception\n    self.raise_uncaught_exception(exc)\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py\", line 480, in raise_uncaught_exception\n    raise exc\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py\", line 497, in dispatch\n    self.initial(request, *args, **kwargs)\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py\", line 414, in initial\n    self.perform_authentication(request)\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py\", line 324, in perform_authentication\n    request.user\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py\", line 227, in user\n    self._authenticate()\n\n  File \"/usr/lib/python3.8/contextlib.py\", line 131, in __exit__\n    self.gen.throw(type, value, traceback)\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py\", line 78, in wrap_attributeerrors\n    raise exc.with_traceback(info[2])\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py\", line 74, in wrap_attributeerrors\n    yield\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py\", line 227, in user\n    self._authenticate()\n\n  File \"/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py\", line 380, in _authenticate\n    user_auth_tuple = authenticator.authenticate(self)\n\n  File \"/usr/share/hue/desktop/core/src/desktop/auth/api_authentications.py\", line 58, in authenticate\n    public_key_pem = self._handle_public_key(access_token)\n\n  File \"/usr/share/hue/desktop/core/src/desktop/auth/api_authentications.py\", line 122, in _handle_public_key\n    public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(jwk[\"keys\"][0])).public_key()\n"
}

And I can see the following in the docker compose logs:

hue             | [11/Jan/2023 20:11:43 -0800] middleware   WARNING  request.fs was not set for anonymous user
hue             | [11/Jan/2023 20:11:43 -0800] middleware   INFO     Processing exception: '_RSAPublicKey' object has no attribute 'public_key': Traceback (most recent call last):
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 74, in wrap_attributeerrors
hue             |     yield
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 227, in user
hue             |     self._authenticate()
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 380, in _authenticate
hue             |     user_auth_tuple = authenticator.authenticate(self)
hue             |   File "/usr/share/hue/desktop/core/src/desktop/auth/api_authentications.py", line 58, in authenticate
hue             |     public_key_pem = self._handle_public_key(access_token)
hue             |   File "/usr/share/hue/desktop/core/src/desktop/auth/api_authentications.py", line 122, in _handle_public_key
hue             |     public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(jwk["keys"][0])).public_key()
hue             | AttributeError: '_RSAPublicKey' object has no attribute 'public_key'
hue             |
hue             | During handling of the above exception, another exception occurred:
hue             |
hue             | Traceback (most recent call last):
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
hue             |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
hue             |   File "/usr/lib/python3.8/contextlib.py", line 75, in inner
hue             |     return func(*args, **kwds)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
hue             |     return view_func(*args, **kwargs)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/django/views/generic/base.py", line 70, in view
hue             |     return self.dispatch(request, *args, **kwargs)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 509, in dispatch
hue             |     response = self.handle_exception(exc)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 469, in handle_exception
hue             |     self.raise_uncaught_exception(exc)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
hue             |     raise exc
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 497, in dispatch
hue             |     self.initial(request, *args, **kwargs)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 414, in initial
hue             |     self.perform_authentication(request)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 324, in perform_authentication
hue             |     request.user
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 227, in user
hue             |     self._authenticate()
hue             |   File "/usr/lib/python3.8/contextlib.py", line 131, in __exit__
hue             |     self.gen.throw(type, value, traceback)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 78, in wrap_attributeerrors
hue             |     raise exc.with_traceback(info[2])
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 74, in wrap_attributeerrors
hue             |     yield
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 227, in user
hue             |     self._authenticate()
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 380, in _authenticate
hue             |     user_auth_tuple = authenticator.authenticate(self)
hue             |   File "/usr/share/hue/desktop/core/src/desktop/auth/api_authentications.py", line 58, in authenticate
hue             |     public_key_pem = self._handle_public_key(access_token)
hue             |   File "/usr/share/hue/desktop/core/src/desktop/auth/api_authentications.py", line 122, in _handle_public_key
hue             |     public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(jwk["keys"][0])).public_key()
hue             | rest_framework.request.WrappedAttributeError: '_RSAPublicKey' object has no attribute 'public_key'
hue             |
hue             | [11/Jan/2023 20:11:43 -0800] log          INFO     OK: /api/connector/instances
hue             | Traceback (most recent call last):
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 74, in wrap_attributeerrors
hue             |     yield
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 227, in user
hue             |     self._authenticate()
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 380, in _authenticate
hue             |     user_auth_tuple = authenticator.authenticate(self)
hue             |   File "/usr/share/hue/desktop/core/src/desktop/auth/api_authentications.py", line 58, in authenticate
hue             |     public_key_pem = self._handle_public_key(access_token)
hue             |   File "/usr/share/hue/desktop/core/src/desktop/auth/api_authentications.py", line 122, in _handle_public_key
hue             |     public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(jwk["keys"][0])).public_key()
hue             | AttributeError: '_RSAPublicKey' object has no attribute 'public_key'
hue             |
hue             | During handling of the above exception, another exception occurred:
hue             |
hue             | Traceback (most recent call last):
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
hue             |     response = get_response(request)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
hue             |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
hue             |   File "/usr/lib/python3.8/contextlib.py", line 75, in inner
hue             |     return func(*args, **kwds)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
hue             |     return view_func(*args, **kwargs)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/django/views/generic/base.py", line 70, in view
hue             |     return self.dispatch(request, *args, **kwargs)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 509, in dispatch
hue             |     response = self.handle_exception(exc)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 469, in handle_exception
hue             |     self.raise_uncaught_exception(exc)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
hue             |     raise exc
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 497, in dispatch
hue             |     self.initial(request, *args, **kwargs)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 414, in initial
hue             |     self.perform_authentication(request)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/views.py", line 324, in perform_authentication
hue             |     request.user
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 227, in user
hue             |     self._authenticate()
hue             |   File "/usr/lib/python3.8/contextlib.py", line 131, in __exit__
hue             |     self.gen.throw(type, value, traceback)
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 78, in wrap_attributeerrors
hue             |     raise exc.with_traceback(info[2])
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 74, in wrap_attributeerrors
hue             |     yield
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 227, in user
hue             |     self._authenticate()
hue             |   File "/usr/share/hue/build/env/lib/python3.8/site-packages/rest_framework/request.py", line 380, in _authenticate
hue             |     user_auth_tuple = authenticator.authenticate(self)
hue             |   File "/usr/share/hue/desktop/core/src/desktop/auth/api_authentications.py", line 58, in authenticate
hue             |     public_key_pem = self._handle_public_key(access_token)
hue             |   File "/usr/share/hue/desktop/core/src/desktop/auth/api_authentications.py", line 122, in _handle_public_key
hue             |     public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(jwk["keys"][0])).public_key()
hue             | rest_framework.request.WrappedAttributeError: '_RSAPublicKey' object has no attribute 'public_key'
hue             | [11/Jan/2023 20:11:43 -0800] access       INFO     172.31.0.1 -anon- - "GET /api/connector/instances HTTP/1.1" returned in 284ms 200 2979
hue             | [11/Jan/2023 20:11:43 -0800] access       INFO     172.31.0.1 -anon- - "GET /api/connector/instances HTTP/1.1" returned in 284ms 200 2979
hue             | 172.31.0.1 - - [11/Jan/2023:20:11:43 -0800] "GET /api/connector/instances HTTP/1.1" 200 2979 "-" "PostmanRuntime/7.30.0"

Steps to reproduce it?

Clone this repo
cd tools/docker/hue
create hue.ini (copy from /tools/docker/hue/conf/z-hue-overrides.ini) and add the [[auth]] section as per above
docker-compose up -d --build
call one of the Hue APIs, passing in a JWT as a Bearer Token in the Authorization Header (See curl example above).

Hue version or source? (e.g. open source 4.5, CDH 5.16, CDP 1.0...). System info (e.g. OS, Browser...).
Hue Version 4.10.0
MacOS Ventura 13.1
Chrome Version 108.0.5359.124 (Official Build) (arm64)

Answered by Harshg999

Jan 20, 2023

@mvilrokx It is not working because the the Key-Set your key server is sending is different for how it is implemented to receive one (the key server for which the implementation was done send it in some different way which was not trivial).

But the JWT handling flow is the same:

- Your web service sends the JWT as bearer token in request headers of the API called.
- Custom auth in Hue first fetches the public key from the auth server and then using it, decodes the JWT to extract the user information.
- To access external services like Impala etc. via Hue, the JWT is further passed on to Impala for it to decode and let your external web service access Impala via Hue seamlessly.

Because of…

View full answer

mvilrokx · 2023-01-12T04:28:54Z

mvilrokx
Jan 12, 2023
Author

I'm confused about a few things (note I am not a Python expert) on the line that seems to cause a problem public_key = jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(jwk["keys"][0])).public_key():

It seems to pick the first key from the Key Set, but that is not necessarily the correct key. Normally, you retrieve all the keys in the Key Set and you find the one that has the right kid and that is the one you pick. I can also see that when you GET the Key Set (response = requests.get(AUTH.JWT.KEY_SERVER_URL.get(), headers=headers), a header is passed with the kid of the JWT (from the JWT Header), but I don't understand what that is suppose to achieve. The JKU end point does not use that header, it just returns the Key Set.
The def from_jwk already calls public_key() on the value it returns, so why does it have to get called again on this line?

0 replies

bjornalm · 2023-01-17T11:38:19Z

bjornalm
Jan 17, 2023
Collaborator

Hi @mvilrokx, thanks for reaching out.

@Harshg999 do you have any insight on this part of the code?

0 replies

Harshg999 · 2023-01-17T18:52:38Z

Harshg999
Jan 17, 2023
Collaborator

Hey @mvilrokx, thanks for the detailed description of the issue! Your observations are correct.

For the custom JWT auth backend, the implementation reflects the requirements we had at the time of developing this feature.

However, Hue is open-source and we can't support all the use-cases with the external key servers other users might have, so we gave an option to add your own JWT auth backend implementation as per different scenarios.

I think for your use-case, you need to change how the key server is sending the Key Set and extracting the public key for decoding the JWT.

Docs: https://docs.gethue.com/developer/api/rest/#custom-jwt-authentication
Blog: https://gethue.com/blog/2021-09-14-sso-for-rest-apis-with-your-custom-jwt-authentication/

0 replies

mvilrokx · 2023-01-17T21:04:07Z

mvilrokx
Jan 17, 2023
Author

Thank you for the response @Harshg999, I'm still slightly confused:

I am actually doing exactly what the documentation you are pointing to is mentioning, i.e. I have configured Hue as per the documentation you shared (https://docs.gethue.com/developer/api/rest/#custom-jwt-authentication) and it is pointing to my own key_server_url. My point is that this is not working, and I can't think of a scenario where it would work. A Key Server almost never returns just 1 Key (hence why it is called Key Set). And even if it would, it seems that the call to public_key() would always fails. I think I also noticed that there is actually no test for this path in the repo, only for the private key scenario.

0 replies

Harshg999 · 2023-01-20T08:06:13Z

Harshg999
Jan 20, 2023
Collaborator

@mvilrokx It is not working because the the Key-Set your key server is sending is different for how it is implemented to receive one (the key server for which the implementation was done send it in some different way which was not trivial).

But the JWT handling flow is the same:

- Your web service sends the JWT as bearer token in request headers of the API called.
- Custom auth in Hue first fetches the public key from the auth server and then using it, decodes the JWT to extract the user information.
- To access external services like Impala etc. via Hue, the JWT is further passed on to Impala for it to decode and let your external web service access Impala via Hue seamlessly.

Because of this issue (that it is not possible to support all key server or different algorithms requirements), there is a config to mention your own custom auth backend which can work for your key server.

In short, I think there are 2 ways in which you can solve this scenario:

1 - In api_authentications.py, you can modify the the _handle_public_key to fetch the public key correctly from key set your key server is sending.

2 - Or you can write your own auth backend in api_authentications.py file, just like class JwtAuthentication(authentication.BaseAuthentication): or class DummyCustomAuthentication(authentication.BaseAuthentication): which will support your JWT handling usecase and user authentication.

And then, add the new auth backend in the config (comma separated and in order of priority if multiple auth backends present):

[desktop]
[[auth]]
api_auth=<new_auth_backend>

This way, JWT handling will be picked up but the newly created auth backend.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cannot get custom JWT authentication to work #3185

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 5 comments

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Cannot get custom JWT authentication to work #3185

mvilrokx Jan 12, 2023

Replies: 5 comments

mvilrokx Jan 12, 2023 Author

bjornalm Jan 17, 2023 Collaborator

Harshg999 Jan 17, 2023 Collaborator

mvilrokx Jan 17, 2023 Author

Harshg999 Jan 20, 2023 Collaborator

mvilrokx
Jan 12, 2023

mvilrokx
Jan 12, 2023
Author

bjornalm
Jan 17, 2023
Collaborator

Harshg999
Jan 17, 2023
Collaborator

mvilrokx
Jan 17, 2023
Author

Harshg999
Jan 20, 2023
Collaborator