Authenticate via JWT
On this page
A JSON Web Token (JWT) is an open, industry standard (RFC 7519) that defines a compact and self-contained method for securely transmitting information between parties as a JSON object, which can be verified and trusted as it is digitally signed.
JWTs are useful for both authorization (the most common scenario for using a JWTs) and information exchange (where information can be securely transmitted between parties).
Use JWTs with the SingleStore and MySQL Clients
To use a JWT with the SingleStore client, replace the password with the JWT:
singlestore -u $EMAIL_ADDRESS -h $WORKSPACE_HOSTNAME -P $CLUSTER_PORT --password=$JWT --ssl=TRUE --enable-cleartext-plugin
Similarly, to use a JWT with the MySQL client, replace the password with the JWT.
mysql -u $EMAIL_ADDRESS -h $WORKSPACE_HOSTNAME -P $CLUSTER_PORT --password=$JWT --ssl=TRUE
Instead of specifying a username/email address in the (SingleStore/MySQL) client command line, you can retrieve the username to use for connecting with SingleStore Helios from the JWT.'*'
in the -u
(--user
) option in the SingleStore/MySQL client.
singlestore -u '*' -h $WORKSPACE_HOSTNAME -P $CLUSTER_PORT --password=$JWT --ssl=TRUE --enable-cleartext-plugin
Refer to Validate JWTs with JWKS for more information.
Note
SingleStore also supports JWT-based authentication with the SingleStore JDBC driver, the SingleStore ODBC driver, and other client libraries that support cleartext (provided cleartext is enabled).
About JWT Users
For the purposes of this document, a "JWT user" is a user that can authenticate with a JWT when connecting to a SingleStore Helios workspace.
For authenticating to SingleStore Helios with a JWT:
-
When using browser-based SSO in conjunction with the
singlestore-auth-helper
or SingleStore driver, the JWT user is identified by the user’s Cloud Portal email address, where thesub
field of the JWT will contain the user’s email address as the username.Any user configured with a corresponding JWT user in the database can use this method to authenticate. The default expiration time for these tokens is sixteen (16) hours. Workspaces accept these JWTs that are signed by the Cloud Portal. -
When using the Cloud Portal SQL Editor against a running workspace, a JWT user is identified by a UUID.
Only Cloud Portal users that are members of the organization which owns the workspace may access the database using this method. Workspaces accept these JWTs that are signed by the Cloud Portal. -
Customers can create and sign JWTs.
For a customer-created JWT to be accepted by SingleStore Helios, the workspace must be configured to accept the public key corresponding to the private key used to sign the JWT. -
Workspaces are configured to accept JWTs using JSON Web Key Sets (JWKS).
With JWKS, JWTs are matched to JSON Web Keys (JWKs) to validate the JWT. The JWK and JWT together specify the database username to use.
Validate JWTs with JWKS
You can use JSON Web Key Sets (JWKS) to validate the signature of a signed JWT.
JWTs are matched with JSON Web Keys (JWKs) for validation as follows:
-
If the JWT has a
kid
(Key ID) field, the JWKs with matchingkid
fields are validated. -
If the JWT has a
kid
field that doesn’t match any JWK, the authentication request is rejected. -
If the JWT has an
iss
(Issuer) field (instead of akid
field) that matches thekid
in one or more JWKs, the JWKs with matchingkid
fields are validated. -
If the JWT does not have a
kid
field and theiss
field does not match thekid
field in any JWK, then validation is attempted with all the JWKs with a matchingalg
(Algorithm) field.If the alg
field is not specified, thekty
(Key Type) field is used instead.
The JWTs signature is validated as follows:
-
The JWT’s signature is validated against matching JWKs.
If the JWT’s signature matches more than one JWK, validation is attempted against all matching JWKs. If the signature cannot be validated, the authentication request is rejected. -
If the matching JWK includes an
aud
(Audience) field which does not match theaud
field in the JWT, then the authentication request is rejected.The aud
field can be a string or an array of strings.If any aud
string of the JWT matches anyaud
string of the JWK, it is considered a match.Note: If the
jwks_
variable is set (non-empty), the value of this variable must be present in therequire_ audience aud
field in the JWT.If the aud
field is an array, the value of this variable must be one of the items in the array. -
If the matching JWK does not define an audience (
aud
), audience checking is skipped.Note that aud
is not a standard field in JWK.
The database username is identified as follows:
-
When the
jwks_
variable is set (non-empty), the value of this variable specifies the name of the JWT field that determines the database username.username_ field If this variable is set, all the other rules for identifying the database username are overridden/ignored. -
If the matching JWK has a
usernameFrom
field, the value of this JWK field is used to identify the name of the field in the JWT that determines the database username. -
If the JWK does not have a
usernameFrom
field, but the JWT has ausername
field, then theusername
field determines the database username. -
If the JWK does not have a
usernameFrom
field and the JWT does not have ausername
field, then thesub
field in the JWT determines the database username.
Note
The database username in the JWT, once determined, must exactly match the database username used in the connection attempt.
Configure JWKS
To authenticate using JWKS, build a JWKS configuration file that contains your public keys and serve it from your Web server via static URL.
SingleStore Helios supports the following public key signature algorithms: RS256, RS384, RS512, ES256, ES384, and ES512.
Perform the following tasks to configure JWKS.
-
Configure the certificate authority used to validate the TLS transfer of the JWKS using SSL.
This step should be performed only if you are using self-signed certificates.
If you are not using self-signed certificates then start with step 2. -
Upload a public key certificate corresponding to your TLS encryption certificate authority that secures the HTTP SSL transfers.
Use the following command to obtain the certificate (assuming that your JWKS endpoint is http://some-domain/some/path):
openssl s_client --connect some-domain.com:443 --servername some-domain.com --showcerts < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate-filename.pem-
On the Cloud Portal, select the workspace on which to enable TLS/SSL connection.
-
Under Security, select the Upload Certificate button to upload your security certificate.
Once the certificate is uploaded, it is available to all the nodes in the workspace. This lets you secure outbound connections via TLS/SSL.
-
-
Specify the certificate file.
SET GLOBAL jwks_ssl_ca_certificate='certificate-filename.pem'
-
-
Configure the JWKS endpoint.
SET GLOBAL jwks_endpoint='https://example.com/.well-known/jwks.json'Updating the endpoint configuration triggers a JWKS update and validation.
The SET GLOBAL
command returns an error if:-
The
GET
request fails. -
There are no valid keys in the updated JWKS.
A warning is generated if any JWKS is rejected, even if the JWKS has valid keys.
Information on rejected keys is available in the audit log. -
To disable JWKS updates, set the endpoint to an empty string.
SET GLOBAL jwks_endpoint=''
Optionally, you can set a refresh interval to update the JWKS configuration automatically (specify the value in seconds).
SET GLOBAL jwks_update_interval = 3600
If this value is not set, or set to 0
, the JWKS configuration updates only when the SET GLOBAL jwks_
command is run.SET GLOBAL jwks_
command with its existing value.
JWKS Update Status
To check the status of the most recent JWKS update, use the SHOW STATUS EXTENDED
command.
-
JWKS_
: Specifies the status of the update.update_ status The status can be one of the following: SUCCESS
,FAILED
, orDISABLED
.The FAILED
status is followed by the reason behind the failure, in parenthesis. -
JWKS_
: Specifies the timestamp of JWKS update.update_ time SHOW STATUS EXTENDED LIKE 'JWKS_update%';+--------------------+-----------------------------------------------------------------------+ | Variable_name | Value | +--------------------+-----------------------------------------------------------------------+ | JWKS_update_status | FAILED (Failed to connect to localhost port 8082: Connection refused) | | JWKS_update_time | Mon May 2 14:03:08 2022 EST | +--------------------+-----------------------------------------------------------------------+
Create a JWT User
Note
Creating JWT users is only supported in SingleStore Helios workspaces running SingleStore v7.
By default, each member of a SingleStore Helios organization that belongs to a workspace has a corresponding JWT user created for that workspace.
You can also manually create a JWT user using the following command:
CREATE USER 'email@example.com'@'%' IDENTIFIED WITH authentication_jwt REQUIRE SSL;
where:
-
email@example.
is the JWT user’s username.com As of SingleStore version 8. 1. 5, you may also create a JWT user with a username that resembles an email address or a UUID. -
IDENTIFIED WITH authentication_
sets the user’s authentication method to use a JWT.jwt -
REQUIRE SSL
(mandatory) enforces the use of SSL for the JWT connection.
A JWT user whose username conflicts with an organization user's email address is treated as an organization user.
Notes on JWT Authentication
The Cloud Portal creates and deletes users in the workspace to ensure that every user in the organization has corresponding JWT users.
SingleStore Helios creates two JWT users for each user in the organization:
-
User based on a UUID: The SQL Editor and other Cloud Portal functions use a UUID to identify a user.
-
User based on an email address: Browser-based SSO uses the email address to identify a user for access to SingleStore Helios workspaces.
SingleStore Helios will automatically delete any users it created when they are no longer members of the organization.
Last modified: August 13, 2024