Ability to use JWT and Password Authentication for the same user about crate HOT 6 CLOSED

Just some notes:

HBA explicitly picks up first matching entry:
https://github.com/crate/crate/blob/master/server/src/main/java/io/crate/auth/HostBasedAuthentication.java#L175

We would need to try to auth against all matching entries.
Also, this is HTTP specific since PG protcol cannot have jwt auth.

from crate.

Just for reference the errors we get when using the auth method which is configured 2nd:

• config

        - -Cauth.host_based.config.98.method=jwt
        - -Cauth.host_based.config.98.protocol=http
        - -Cauth.host_based.config.99.method=password

• request with username/pwd

$ curl -u myuser:mypwd -X POST -d '{"stmt":"select current_user;"}' -H "Content-Type: application/json" https://localhost:4200/_sql -k -v
< HTTP/1.1 401 Unauthorized
< content-length: 144
* Authentication problem. Ignoring this.
< www-authenticate: Basic realm="CrateDB Authenticator"
< 
jwt authentication failed for user myuser. Reason: Cannot invoke "com.auth0.jwt.interfaces.DecodedJWT.getIssuer()" because "decodedJWT" is null

... and with swapped order

        - -Cauth.host_based.config.98.method=password
        - -Cauth.host_based.config.99.method=jwt
        - -Cauth.host_based.config.99.protocol=http

• request with jwt

$ curl -X POST -d '{"stmt":"select current_user;"}' -H "Content-Type: application/json" https://localhost:4200/_sql -k -H "Authorization: Bearer {jwt}" -v
< HTTP/1.1 401 Unauthorized
< content-length: 46
< www-authenticate: Basic realm="CrateDB Authenticator"
< 
password authentication failed for user "my_jwt_user"

from crate.

We would need to try to auth against all matching entries.

That's cumbersome and also can be not nice in implementation because of "jwt-is-only-http" aspect.

I think instead of going through all methods we can adjust the HBA method resolving to the following:

• if resolved method is already single, use it.
• if we have multiple matching methods, pickup one which corresponds to the header payload - we cannot mix different headers.

This way we still have jwt/password differentiation which is less confusing than having jwt_or_password and also keep possibility or granular config per use, ie “allow only jwt for Georg”

I wonder if we should treat this as a bug. Irrelevant of JWT but speaking from HBA point of view - we have a request that matches HBA and fails for either of jwt/password because of the order.

from crate.

can be not nice in implementation because of "jwt-is-only-http" aspect.

That is however related to the actual implementation. If JWT would have been implemented to reuse password field (as suggested in the original ticket), one could have also easily used it via the PostgreSQL wire protocol. If "password" would instead be treated as a more generic Use "HTTP authorization header" approach, this also would be a non issue.

This issue arises from treating JWT as a separate authentication mode solely for HTTP connections. Whether this is a bug or not is irrelevant; the feature was intended for hosted use cases. Just as we expect to use the PostgreSQL wire protocol and the HTTP endpoint with the same user, we also anticipated using password and JWT authentication with the same user. As it stands, we can't make much use of it. As we did agree to treat new features as experimental to some degree and only consider them stable after iterations, we can't make much use of it right now. While this technically might not be a bug (since it wasn't specified in the original request, nor was the contrary), I would still love to see this resolved quickly within this (5.7) or the next minor release (5.8).

If the HBA matched not only the host but also the authentication method provided by the user's authentication attempt, this issue would be resolved.

i.e.

if we have multiple matching methods, pickup one which corresponds to the header payload - we cannot mix different headers.

would be favourable 👍

from crate.

I wonder if we should treat this as a bug. Irrelevant of JWT but speaking from HBA point of view - we have a request that matches HBA and fails for either of jwt/password because of the order.

Added a bug label for now, will discuss with the team later

UPD: Removed bug as "picking up first" is documented behavior.
From https://cratedb.com/docs/crate/reference/en/latest/admin/auth/hba.html

The authentication method of the first entry that matches the client user and address will be used. If the authentication attempt fails, subsequent entries will not be considered. The entry look-up order is determined by the order identifier of each entry.

from crate.

Hi @proddata, thx for reporting. Fix will be available in the next 5.7.2 hotfix release

from crate.