search

AnthonyDeroche / mod_authnz_jwt

An authentication module for Apache httpd using JSON Web Tokens
Other
79 stars 46 forks source link

User is not getting validated, though user exist in htpasswd file #5

Closed pravinkadu closed 7 years ago

pravinkadu commented 7 years ago

Hi,

Thanks for your module.

I am trying to use your module for authentication. But when I try to post user and password to url. Its returning unauthenticated.

I am using same configuration from example `<VirtualHost *:80> ServerName www.example.com ServerAlias example.com DocumentRoot /var/www/example.com/public_html ErrorLog /var/www/example.com/error.log CustomLog /var/www/example.com/requests.log combined

# default values
#AuthJWTFormUsername user
#AuthJWTFormPassword password
#AuthJWTAttributeUsername user

AuthJWTSignatureAlgorithm HS256
AuthJWTExpDelay 1800
AuthJWTNbfDelay 0
#AuthJWTIss example.com
#AuthJWTAud demo
#AuthJWTLeeway 10

  AuthJWTSignatureSharedSecret secret
  AllowOverride none

LogLevel auth_jwt:debug
RewriteEngine On

<Directory /var/www/example.com/public_html/demo/secured/>

    AuthType jwt
    AuthName "private area"
    Require valid-user
</Directory>

<Location /login>

    SetHandler jwt-login-handler
    AuthJWTProvider file ldap
    AuthUserFile /var/www/example.com/jwt.htpasswd

</Location>

`

Could you please help me out, why its not getting validated

pravinkadu commented 7 years ago

When I use LDAP module, then I can see error log [Thu Jan 19 06:42:09.394371 2017] [auth_jwt:debug] [pid 8] mod_authnz_jwt.c(876): [client 10.0.2.2:52737] AH55226: auth_jwt authn: credentials are not correct [Thu Jan 19 06:42:09.394389 2017] [auth_jwt:error] [pid 8] [client 10.0.2.2:52737] AH55228: user 'x\x97\xdaz\x11V' not found: /login

I think its encrypting the user before validation

AnthonyDeroche commented 7 years ago

Hi, thanks for your feedback.

It's weird since tests passed regarding login when I use htpasswd.

Does it happen even if you specify only one authentication provider (e.g. file) ? Did you check that your password file is correct ?

I will investigate on this very soon and I'll keep you posted.

Anthony

pravinkadu commented 7 years ago

Yes, I have tried both authentication providers(file, ldap and file ldap). These two works with basic authentication. But when I use jwt module it fails. So i don't think so issue is with htpasswd file.

FYI, I am using Centos 7 and Apache 2.4.

Thanks and Regards, Pravin

AnthonyDeroche commented 7 years ago

Hello,

I think you are posting data to the login URL using JSON. The module does not support this content type for now, but I plan to support it in a next release. You should try again with application/x-www-form-urlencoded content type when you are posting the username and password.

Basically, this command should work: curl -X POST -d "user=john&password=doe" /login

By the way, I also have to log something understandable when using another content-type than application/x-www-form-urlencoded.

AnthonyDeroche commented 7 years ago

I added an explicit check on Content-Type, you should have a 415 (supported media type) if you post data using another content-type than application/x-www-form-urlencoded.

Tell me if it's working for you.

Regards, Anthony

pravinkadu commented 7 years ago

Yes,

Its' working with application/x-www-form-urlencoded

Thanks for your help!

Regards, Pravin