Permission Denied for login API while using JWT

murali.naru158 · June 28, 2023, 10:56am

Hi all,
I did set up ‘jwt’ auth method for my consul data center. The following is the payload I have used while setting up auth method.

{
 "Name": "my-jwt-auth-method",
 "Type": "jwt",
 "Description": "my jwt based auth method",
 "Config":{
   "BoundIssuer": "corp-issuer",
  "JWTValidationPubKeys": [<my public key>]
 }
}

The auth method setup was successful.

Later, I have framed the request payload as followed for “/acl/login” API

{
  "AuthMethod": "my-jwt-auth-method",
  "BearerToken":  "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21la2V5Ijoic29tZXZhbHVlIiwiaXNzIjoiY29ycC1pc3N1ZXIiLCJpYXQiOjE2ODc5MjgwNzd9.<signedpart>"
}

The header in JWT token is {“alg”: “RS256”, “typ”: “JWT”}
The payload for JWT token I used is
{
“somekey”: “somevalue”,
“iat”: 1687928077,
“iss”: “corp-issuer”
}
I am sure my token is signed properly using the private key associated with the public key I used as part of setting up auth method. I have checked both by passing acl Bootstrap token as part of Header and by not passing acl bootstrap token as part of header. I am getting permission denied.

May I know what is the reason?
Thank you!

blake · July 12, 2023, 5:55pm

Hi @murali.naru158,

Have you correspondingly set up an ACL binding rule to match on the claims in the JWT and map that to a Consul ACL policy?

https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/jwt#trusted-identity-attributes-via-claim-mappings

https://developer.hashicorp.com/consul/api-docs/acl/binding-rules

murali.naru158 · July 13, 2023, 12:46pm

Hi @blake Many thanks for your response.
Yeah… I realised my mistake 2-3 days back.
1.I did not setup role and associate it with the binding rule.
2. Also I did not specify the ClaimMappings while setting up JWT auth method.
When I corrected these two , I was able to overcome the issue.