Prevent "403 Forbidden" with JWT auth

[gbshhennsi]

Hello !

I am trying to secure my couchdb with a JWT Token. I succefully accessed the Database with the Token and it responds with:

{ "couchdb": "Welcome", "version": "3.2.1", "git_sha": "244d428af", "uuid": "7ce2e0a56139046ee7405702e5c7eb42", "features": [ "access-ready", "partitioned", "pluggable-storage-engines", "reshard", "scheduler" ], "vendor": { "name": "The Apache Software Foundation" } }

The Problem is when I want to access a specific Database I am recieving

{ "error": "forbidden", "reason": "You are not allowed to access this db." }.

The problem is I want to get docs from my Database without user-password authentication.
My docker.ini files auth section looks like this

Is the JWT authentication missing the feature of accessing databases without basic auth or am I doing something wrong?
Thanks in advance!

[big-r81]

Hi,

do you have an example token for testing?

[gbshhennsi]

Yes, sorry for the late reply...

The Full Token:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjVCMzVDOTA2RjFEODMwNUQ4QUNFN0E2NjVDNDFDMjE5IiwidHlwIjoiSldUIn0.eyJuYmYiOjE2NTIxMDk4NjQsImV4cCI6MTY1MjExMzQ2NCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTA1MC9zZXJpY3ktc2VjdXJpdHktYXBpIiwiY2xpZW50X2lkIjoiY2xpZW50LXRlc3QtdWkiLCJzdWIiOiI1MjEyNDA3NC0wNDkzLTQ1MzQtODc0MS0xZmQzMGVlNzU3OTQiLCJhdXRoX3RpbWUiOjE2NTIxMDk4NjIsImlkcCI6ImxvY2FsIiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZW1haWxhZGRyZXNzIjoidGVzdHVzZXJAZ21haWwuY29tIiwiQXNwTmV0LklkZW50aXR5LlNlY3VyaXR5U3RhbXAiOiJSSFJZRkQzUUY0WldHNDdWUFg0VVA3UzdEVU41TE1FUiIsInJvbGUiOiJTeXN0ZW0gQWRtaW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsIm5hbWUiOiJ0ZXN0dXNlciIsImVtYWlsIjoidGVzdHVzZXJAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImZ1bGxOYW1lIjoidGVzdHVzZXIiLCJmb3JjZVBhc3N3b3JkQ2hhbmdlIjoiRmFsc2UiLCJleHRlcm5hbFVzZXIiOiJmYWxzZSIsImRlcGFydG1lbnQiOiJ0ZXN0dXNlciIsImxvY2FsZSI6ImVuIiwic2lkIjoiOUZBMzUyN0M3NENFNkIxQUM3NDZGN0FCRjYyOTJEMzUiLCJpYXQiOjE2NTIxMDk4NjQsInNjb3BlIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJvZmZsaW5lX2FjY2VzcyJdLCJhbXIiOlsicHdkIl19.ZQbgBJRwvI6gyGGHPtlKE16vaeeJ-vu0YKQIHxu5PI4px1-n_J_QfvWzUEPqV8xNlb87ciQFa_3GjRxHIQqp8S0mtrVvA_YfDNfZTNbng3xqdJEagS5Wcp3s4qr3xmdtqUpxY_vrmgsp2BbKdQyY814nGLG8p2Tbj8hi-omJQQ78PgS4NPpPIm3lSh54fQ6F6BQ163_n_n8gI-vCNKyOUNdUlRDVrcKnTW0C4b6DZh7vZLx6dHP2O8DglfRS0d0rcg9zHafXOEin8QQBH3z22iS3yqYMxsMoJCIVIpmgY9frkk6jtyzuxVyW3LWGCbBHwZ4a_besuW0nUJFgfFk1tA

The public key in JWK Format:

{
"kty": "RSA",
"use": "sig",
"kid": "5B35C906F1D8305D8ACE7A665C41C219",
"e": "AQAB",
"n": "13UtpTOG138LZMv9CDUByIMoPbKN4ZrVuZSa78Js4y1DV6b07XyWenSTqN8Y865aMEBEujXlKsfkEXgxvR2dyDkFHg5df7OPyT98pgw-Fz7eFntAIkQyS0wojwAY2DXolfA65Ehicu2N3Y-uTbWyUsn1Qd6Eeh6395nDOuVkrsGUKnwpmf1eVSaZCtfRcayk10ToX2p0rqjBdXxdWxyQXv8tXLkpzEAIvlPFyFVeFuVlGRNooJWZP37kVCGrHdGhCynBjVl6EwYNPB00W5ae4Y_yQ5T1qBoIPrD85uiNzCwnpO0uw_6imPu-bZnqtzgf_kYBw1nHEdrumYnBPlp0-Q",
"alg": "RS256"
}

[big-r81]

And your user ("52124074-0493-4534-8741-1fd30ee75794") has access to both dbs?

Can you paste your permissions for your db (for which the token is working) and for your db (for which the token is failing)?

[gbshhennsi]

The Token is not working for any db...

The only chance you can access the DB is by basic auth with a password and a username

this is how i set up the docker.ini file of the couchdb

Now I send the _all_dbs query to the database together with the jwt:

when I want to access one specific database with the jwt token I recieve the following problem:

Now i do the same with basic auth and you see it works (password and username are mandatory since version 3.x)

I think that the couchdb should respond with a 200 in both cases.

[big-r81]

Can you please paste your jwt_key in a code block here?

[gbshhennsi]

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA13UtpTOG138LZMv9CDUB
yIMoPbKN4ZrVuZSa78Js4y1DV6b07XyWenSTqN8Y865aMEBEujXlKsfkEXgxvR2d
yDkFHg5df7OPyT98pgw+Fz7eFntAIkQyS0wojwAY2DXolfA65Ehicu2N3Y+uTbWy
Usn1Qd6Eeh6395nDOuVkrsGUKnwpmf1eVSaZCtfRcayk10ToX2p0rqjBdXxdWxyQ
Xv8tXLkpzEAIvlPFyFVeFuVlGRNooJWZP37kVCGrHdGhCynBjVl6EwYNPB00W5ae
4Y/yQ5T1qBoIPrD85uiNzCwnpO0uw/6imPu+bZnqtzgf/kYBw1nHEdrumYnBPlp0
+QIDAQAB
-----END PUBLIC KEY-----

[big-r81]

Okay, tried your key, works for me, but you need to add the user of the key or some roles to the db security objects to allow them to access!

Test it with:

Adding the user (52124074-0493-4534-8741-1fd30ee75794) as a member of that db (user or admin). Do this with your admin user.

GET /testdb/_security

{
    "members": {
        "roles": [
            "_admin"
        ],
        "names": [
            "52124074-0493-4534-8741-1fd30ee75794"
        ]
    },
    "admins": {
        "roles": [
            "_admin"
        ],
        "names": []
    }
}

Then you should query your db with your JWT Bearer Token:

GET /testdb

{
    "db_name": "testdb",
    "purge_seq": "0-g1AAAABXeJzLYWBgYMpgTmEQTM4vTc5ISXIwNDLXMwBCwxyQVB4LkGRoAFL_gSArkQGP2kSGpHqIoiwAtOgYRA",
    "update_seq": "40-g1AAAACbeJzLYWBgYMpgTmEQTM4vTc5ISXIwNDLXMwBCwxyQVB4LkGRoAFL_gSArgzlRKBcowG5ummaZamCBTR8e0xIZkuqhxoiBjUlKNDJMTsRqTBYA8kgoqA",
    "sizes": {
        "file": 442786,
        "external": 1277,
        "active": 20047
    },
    "props": {},
    "doc_del_count": 0,
    "doc_count": 3,
    "disk_format_version": 8,
    "compact_running": false,
    "cluster": {
        "q": 2,
        "n": 1,
        "w": 1,
        "r": 1
    },
    "instance_start_time": "0"
}

[gbshhennsi]

Wow, it works for me aswell :

I wonder if I can only use the sub claim to define my token as admin or if I could accept every jwt token with a valid key.
Or better if I could completely ignore if a user is admin or not.

In addition to that i wonder if I can only define the admin here:

or if it is also possible inside the Docker.ini file

[big-r81]

Hi, this was only an example. "_admin" (special server admin role) was the default for my db.

You can also create your own role in the payload like:

...
"sub": "52124074-0493-4534-8741-1fd30ee75794",
"_couchdb.roles": ["my_new_role"],
...

and add that role to the member list:

/GET /testdb/security
{
    "members": {
        "roles": [
            "my_new_role"
        ],
        "names": []
    },
    "admins": {
        "roles": [
            "_admin"
        ],
        "names": []
    }
}

That's your decision if this user is an admin or a normal user for this db (same with roles)...