JWT Support in Beats

[chinmaychandak]

I would like to scrape logs using Beats (either Filebeat, Metricbeat, etc.) and send them to Logstash or Kafka depending on my use case. Currently, I am leveraging the SSL support, but I would like to use JSON Web Token instead; i.e., the beats should talk to an Authorization server, receive a JWT and then pass it as part of the Auth header bearer token schema when writing logs to an output sink which then validates the JWT. I am specifically looking to integrate JWT in concert with OAuth for my use case (because of needing different ACLs/scopes for operations and data, and also the requirement for making the tokens ephemeral with some expiration policy).

Is this feature available/being worked on? If not, I would like to contribute, and was hoping if someone could give me pointers on where to start? I also think I would need to implement this in the libbeat/common/transport directory just like TLS/SSL?

NOTE: I am completely new to the Beats code base, even though I've used beats quite a bit.

Any help would be greatly appreciated!

P.S. I had created a topic on the forum first: https://discuss.elastic.co/t/jwt-support-in-beats/254825, but thought it would be helpful to open an issue here since I did not receive many responses there.

[elasticmachine]

Pinging @elastic/integrations-services (Team:Services)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

To clarify, you want to add an OAuth 2.0 capability to the Kafka output? (Logstash doesn't support using anything other than mTLS to secure the connection.) Probably the kerberos support would be a good example to look at libbeat/common/transport/kerberos w.r.t. the outputs. Also Filebeat has some code in its httpjson input for doing oauth so it would be good to stay consistent w.r.t. configuration options.

[chinmaychandak]

Thank you so much for responding, @andrewkroh!

you want to add an OAuth 2.0 capability to the Kafka output?

Correct, yes.

Probably the kerberos support would be a good example to look at libbeat/common/transport/kerberos w.r.t. the outputs. Also Filebeat has some code in its httpjson input for doing oauth so it would be good to stay consistent w.r.t. configuration options.

Thank you, will take a look at both of these!

[kfox1111]

I'm interested in JWT support as well, but the JWT's can be generated on the host automatically via SPIFFE/SPIRE. So I think the needed support would look similar to the username/password config, just that it passes the string a little differently, and reads it from a file.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[kfox1111]

Still would be useful. then could use k8s projected tokens for auth.

[jmbass]

👍

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[kfox1111]

:+1