Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Prevent "403 Forbidden" with JWT auth #4009

Answered by big-r81
gbshhennsi asked this question in General
Discussion options

Hello !

I am trying to secure my couchdb with a JWT Token. I succefully accessed the Database with the Token and it responds with:

{ "couchdb": "Welcome", "version": "3.2.1", "git_sha": "244d428af", "uuid": "7ce2e0a56139046ee7405702e5c7eb42", "features": [ "access-ready", "partitioned", "pluggable-storage-engines", "reshard", "scheduler" ], "vendor": { "name": "The Apache Software Foundation" } }

The Problem is when I want to access a specific Database I am recieving

{ "error": "forbidden", "reason": "You are not allowed to access this db." }.

The problem is I want to get docs from my Database without user-password authentication.
My docker.ini files auth section looks like this

image

Is the JWT authentication missing the feature of accessing databases without basic auth or am I doing something wrong?
Thanks in advance!
You must be logged in to vote

Okay, tried your key, works for me, but you need to add the user of the key or some roles to the db security objects to allow them to access!

Test it with:

Adding the user (52124074-0493-4534-8741-1fd30ee75794) as a member of that db (user or admin). Do this with your admin user.

GET /testdb/_security
{
 "members": {
 "roles": [
 "_admin"
 ],
 "names": [
 "52124074-0493-4534-8741-1fd30ee75794"
 ]
 },
 "admins": {
 "roles": [
 "_admin"
 ],
 "names": []
 }
}

Then you should query your db with your JWT Bearer Token:

GET /testdb
{
 "db_name": "testdb",
 "purge_seq": "0-g1AAAABXeJzLYWBgYMpgTm...

Replies: 8 comments 1 reply

Comment options

Hi,

do you have an example token for testing?
You must be logged in to vote
0 replies
Comment options

Yes, sorry for the late reply...

The Full Token:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjVCMzVDOTA2RjFEODMwNUQ4QUNFN0E2NjVDNDFDMjE5IiwidHlwIjoiSldUIn0.eyJuYmYiOjE2NTIxMDk4NjQsImV4cCI6MTY1MjExMzQ2NCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTA1MC9zZXJpY3ktc2VjdXJpdHktYXBpIiwiY2xpZW50X2lkIjoiY2xpZW50LXRlc3QtdWkiLCJzdWIiOiI1MjEyNDA3NC0wNDkzLTQ1MzQtODc0MS0xZmQzMGVlNzU3OTQiLCJhdXRoX3RpbWUiOjE2NTIxMDk4NjIsImlkcCI6ImxvY2FsIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZW1haWxhZGRyZXNzIjoidGVzdHVzZXJAZ21haWwuY29tIiwiQXNwTmV0LklkZW50aXR5LlNlY3VyaXR5U3RhbXAiOiJSSFJZRkQzUUY0WldHNDdWUFg0VVA3UzdEVU41TE1FUiIsInJvbGUiOiJTeXN0ZW0gQWRtaW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsIm5hbWUiOiJ0ZXN0dXNlciIsImVtYWlsIjoidGVzdHVzZXJAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImZ1bGxOYW1lIjoidGVzdHVzZXIiLCJmb3JjZVBhc3N3b3JkQ2hhbmdlIjoiRmFsc2UiLCJleHRlcm5hbFVzZXIiOiJmYWxzZSIsImRlcGFydG1lbnQiOiJ0ZXN0dXNlciIsImxvY2FsZSI6ImVuIiwic2lkIjoiOUZBMzUyN0M3NENFNkIxQUM3NDZGN0FCRjYyOTJEMzUiLCJpYXQiOjE2NTIxMDk4NjQsInNjb3BlIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJvZmZsaW5lX2FjY2VzcyJdLCJhbXIiOlsicHdkIl19.ZQbgBJRwvI6gyGGHPtlKE16vaeeJ-vu0YKQIHxu5PI4px1-n_J_QfvWzUEPqV8xNlb87ciQFa_3GjRxHIQqp8S0mtrVvA_YfDNfZTNbng3xqdJEagS5Wcp3s4qr3xmdtqUpxY_vrmgsp2BbKdQyY814nGLG8p2Tbj8hi-omJQQ78PgS4NPpPIm3lSh54fQ6F6BQ163_n_n8gI-vCNKyOUNdUlRDVrcKnTW0C4b6DZh7vZLx6dHP2O8DglfRS0d0rcg9zHafXOEin8QQBH3z22iS3yqYMxsMoJCIVIpmgY9frkk6jtyzuxVyW3LWGCbBHwZ4a_besuW0nUJFgfFk1tA

The public key in JWK Format:

{
"kty": "RSA",
"use": "sig",
"kid": "5B35C906F1D8305D8ACE7A665C41C219",
"e": "AQAB",
"n": "13UtpTOG138LZMv9CDUByIMoPbKN4ZrVuZSa78Js4y1DV6b07XyWenSTqN8Y865aMEBEujXlKsfkEXgxvR2dyDkFHg5df7OPyT98pgw-Fz7eFntAIkQyS0wojwAY2DXolfA65Ehicu2N3Y-uTbWyUsn1Qd6Eeh6395nDOuVkrsGUKnwpmf1eVSaZCtfRcayk10ToX2p0rqjBdXxdWxyQXv8tXLkpzEAIvlPFyFVeFuVlGRNooJWZP37kVCGrHdGhCynBjVl6EwYNPB00W5ae4Y_yQ5T1qBoIPrD85uiNzCwnpO0uw_6imPu-bZnqtzgf_kYBw1nHEdrumYnBPlp0-Q",
"alg": "RS256"
}
You must be logged in to vote
0 replies
Comment options

And your user ("52124074-0493-4534-8741-1fd30ee75794") has access to both dbs?

Can you paste your permissions for your db (for which the token is working) and for your db (for which the token is failing)?
You must be logged in to vote
0 replies
Comment options

The Token is not working for any db...

The only chance you can access the DB is by basic auth with a password and a username

image
this is how i set up the docker.ini file of the couchdb

Now I send the _all_dbs query to the database together with the jwt:

image

when I want to access one specific database with the jwt token I recieve the following problem:

image

Now i do the same with basic auth and you see it works (password and username are mandatory since version 3.x)

image

I think that the couchdb should respond with a 200 in both cases.
You must be logged in to vote
0 replies
Comment options

Can you please paste your jwt_key in a code block here?
You must be logged in to vote
1 reply
Comment options

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA13UtpTOG138LZMv9CDUB
yIMoPbKN4ZrVuZSa78Js4y1DV6b07XyWenSTqN8Y865aMEBEujXlKsfkEXgxvR2d
yDkFHg5df7OPyT98pgw+Fz7eFntAIkQyS0wojwAY2DXolfA65Ehicu2N3Y+uTbWy
Usn1Qd6Eeh6395nDOuVkrsGUKnwpmf1eVSaZCtfRcayk10ToX2p0rqjBdXxdWxyQ
Xv8tXLkpzEAIvlPFyFVeFuVlGRNooJWZP37kVCGrHdGhCynBjVl6EwYNPB00W5ae
4Y/yQ5T1qBoIPrD85uiNzCwnpO0uw/6imPu+bZnqtzgf/kYBw1nHEdrumYnBPlp0
+QIDAQAB
-----END PUBLIC KEY-----
Comment options

Okay, tried your key, works for me, but you need to add the user of the key or some roles to the db security objects to allow them to access!

Test it with:

Adding the user (52124074-0493-4534-8741-1fd30ee75794) as a member of that db (user or admin). Do this with your admin user.

GET /testdb/_security
{
 "members": {
 "roles": [
 "_admin"
 ],
 "names": [
 "52124074-0493-4534-8741-1fd30ee75794"
 ]
 },
 "admins": {
 "roles": [
 "_admin"
 ],
 "names": []
 }
}

Then you should query your db with your JWT Bearer Token:

GET /testdb
{
 "db_name": "testdb",
 "purge_seq": "0-g1AAAABXeJzLYWBgYMpgTmEQTM4vTc5ISXIwNDLXMwBCwxyQVB4LkGRoAFL_gSArkQGP2kSGpHqIoiwAtOgYRA",
 "update_seq": "40-g1AAAACbeJzLYWBgYMpgTmEQTM4vTc5ISXIwNDLXMwBCwxyQVB4LkGRoAFL_gSArgzlRKBcowG5ummaZamCBTR8e0xIZkuqhxoiBjUlKNDJMTsRqTBYA8kgoqA",
 "sizes": {
 "file": 442786,
 "external": 1277,
 "active": 20047
 },
 "props": {},
 "doc_del_count": 0,
 "doc_count": 3,
 "disk_format_version": 8,
 "compact_running": false,
 "cluster": {
 "q": 2,
 "n": 1,
 "w": 1,
 "r": 1
 },
 "instance_start_time": "0"
}
You must be logged in to vote
0 replies
Answer selected by gbshhennsi
Comment options

Wow, it works for me aswell :
image

I wonder if I can only use the sub claim to define my token as admin or if I could accept every jwt token with a valid key.
Or better if I could completely ignore if a user is admin or not.

In addition to that i wonder if I can only define the admin here:
image

or if it is also possible inside the Docker.ini file
You must be logged in to vote
0 replies
Comment options

Hi, this was only an example. "_admin" (special server admin role) was the default for my db.

You can also create your own role in the payload like:

...
"sub": "52124074-0493-4534-8741-1fd30ee75794",
"_couchdb.roles": ["my_new_role"],
...

and add that role to the member list:

/GET /testdb/security
{
 "members": {
 "roles": [
 "my_new_role"
 ],
 "names": []
 },
 "admins": {
 "roles": [
 "_admin"
 ],
 "names": []
 }
}

That's your decision if this user is an admin or a normal user for this db (same with roles)...
You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet

AltStyle によって変換されたページ (->オリジナル) /