Auth method External: Failed to start external authentication program

[pinanklakhani]

I Simply want to authenticate my client using JWT toke. Fo that i am using external authentication and using python script. I have following configurations in ejabberd.yml file

auth_method: external
extauth_program: /usr/local/etc/ejabberd/authenticator.py
extauth_instances: 1
auth_use_cache: false
auth_password_format: scram

and following is my authenticator.py file in the same dir.

#! /usr/bin/python3.9

import requests
import json

def authenticate(username, token):
    headers = {'Authorization': f'Bearer {token}'}
    response = requests.get('https://keycloak.example.com/auth/realms/myrealm/protocol/openid-connect/userinfo', headers=headers)

    if response.status_code == 200:
        userinfo = json.loads(response.content)
        return True
    else:
        return False

but when i start ejabberd server its giving following error

[error] <0.605.0>@extauth:handle_info/2:149 Failed to start external authentication program '/usr/local/etc/ejabberd/authenticator.py'
2023-02-23 14:35:11.100175+05:30 [error] <0.600.0>@supervisor:do_restart/3:736 SUPERVISOR REPORT:
    supervisor: {local,extauth_pool_localhost}
    errorContext: child_terminated
    reason: normal
    offender: [{pid,<0.605.0>},
               {id,extauth_pool_localhost_1},
               {mfargs,{extauth,start_link,
                                [extauth_pool_localhost_1,
                                 "/usr/local/etc/ejabberd/authenticator.py"]}},
               {restart_type,permanent},
               {significant,false},
               {shutdown,5000},
               {child_type,worker}]

Please help to resolve

[licaon-kter]

Why open a new issue?!

[pinanklakhani]

@licaon-kter It was posted on contrib repository by mistakenly

[badlop]

For reference, the previous issue is https://github.com/processone/ejabberd-contrib/issues/316

[pinanklakhani]

@licaon-kter @badlop

For JWT authentication, i have to use auth method external. The reference provided suggesting to use auth_method: jwt And for this to work, i have to expose my token private key which according to

Understand?

[badlop]

I think this is wrong:

#! /usr/bin python3

It should be:

#!/usr/bin/python3

[pinanklakhani]

@badlop tried but same result

2023-02-23 18:42:20.703636+05:30 [error] <0.599.0>@extauth:handle_info/2:149 Failed to start external authentication program 'python3.9 /usr/local/etc/ejabberd/authenticator.py'
2023-02-23 18:42:20.703869+05:30 [error] <0.598.0>@supervisor:do_restart/3:736 SUPERVISOR REPORT:

[nosnilmot]

#!/usr/bin/python3 would probably be better as #!/usr/bin/env python3, but it doesn't matter if python3 is actually in /usr/bin.

The main problem is your script does not implement the external authentication API.

Also, as @licaon-kter pointed out on the ticket in ejabberd-contrib, JWT authentication is already supported natively.

For JWT authentication, i have to use auth method external.

Why?

The reference provided suggesting to use auth_method: jwt And for this to work, i have to expose my token private key which according to

That looks like an incomplete sentence. You do not need to share private key if you are using an asymmetric key, only the public key is necessary to validate tokens.

Understand?

No 😄

[pinanklakhani]

Thanks @nosnilmot I updated auth_method to jwt and provided public key in jwt_key option and configuration worked. I have keycloak as auth gateway so provided cert json in jwt_key path and configs loaded successfully https://<host>/auth/realms/myrealm/protocol/openid-connect/certs

Now when i pass jid and token from strophe.js while connection, it is giving an error of invalid username or password. Checking for that