Ejabberd: JWT token based login not working with ejabbred 20.07

Created on 18 Jan 2021 · 12Comments · Source: processone/ejabberd

Environment

ejabberd version: 20.07
OS: Linux (Debian)
Installed from: official deb

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

loglevel: 5

auth_method: [jwt, internal]
jwt_key: /home/ubuntu/mysecret.jwk

access_rules:
  jwt_only:
    deny: admin
    allow: all 
    ...

jwt_auth_only_rule: jwt_only

...

mysecret .jwk


{
    "kty": "oct",
    "use": "sig",
    "k": "XckBSF7uaA5fTR4JK1QkLaguwh9MO70__kd3s8lPTWaVmbOLPE8JBIG1yPs3in9YSJER2QdxjerNaLT_6OhmX2JnB_zeUz1m7EN-ThtbKXUjwauUMoT4PE_fyuqPQMvW-rsAkBjkz0MM_rKm30IxNN3oeXdhEIhMHlVXNumMwzcG7rctUHuFZmxsNKB1CJhTgRSJA7u4Ol0Fm07KA9E4glwK-XdeYza0nMuv3CC8P72i_1eCwBs2UXRyj4VnRrdjZflY0IomZ7iDowdldJwx-WVN51xhtda8dlNMa-p_TJrKjNhBG6f_5afNWzLB9hYJ5-AZcMksZRPgafAvUAOiyw",
    "alg": "HS256"
}

Jwt Payload

{
  "jid": "test@domain",
  "exp": 1664436511
}

my generate token

eyJrdHkiOiJvY3QiLCJ1c2UiOiJzaWciLCJrIjoiWGNrQlNGN3VhQTVmVFI0SksxUWtMYWd1d2g5TU83MF9fa2QzczhsUFRXYVZtYk9MUEU4SkJJRzF5UHMzaW45WVNKRVIyUWR4amVyTmFMVF82T2htWDJKbkJfemVVejFtN0VOLVRodGJLWFVqd2F1VU1vVDRQRV9meXVxUFFNdlctcnNBa0Jqa3owTU1fckttMzBJeE5OM29lWGRoRUloTUhsVlhOdW1Nd3pjRzdyY3RVSHVGWm14c05LQjFDSmhUZ1JTSkE3dTRPbDBGbTA3S0E5RTRnbHdLLVhkZVl6YTBuTXV2M0NDOFA3MmlfMWVDd0JzMlVYUnlqNFZuUnJkalpmbFkwSW9tWjdpRG93ZGxkSnd4LVdWTjUxeGh0ZGE4ZGxOTWEtcF9USnJLak5oQkc2Zl81YWZOV3pMQjloWUo1LUFaY01rc1pSUGdhZkF2VUFPaXl3IiwiYWxnIjoiSFMyNTYifQ.eyJqaWQiOiJ0ZXN0QGRvbWFpbiIsImV4cCI6MTY2NDQzNjUxMX0.YG5vT_Nzzm6VMEBsncaRXfyZ7HOP96CgnTEaEkDKojE

Errors from error.log/crash.log

Invalid Username or password while login with jwt token

2021-01-18 14:08:21.175 [debug] <0.516.0>@mod_bosh:process:70 Incoming data: <<"<body rid='3880420061' xmlns='http://jabber.org/protocol/httpbind' sid='13e704a7ead1a2aef1c426b068d3ab1e9c05a8f1'><auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN'>dGVzdEBjaGF0LmVudGh1emlhc3RpYy5jb20AdGVzdAB7ICAgImppZCI6ICJ0ZXN0QGV4YW1wbGUub3JnIiwgICAiZXhwIjogMTU2NDQzNjUxMSB9</auth></body>">>
2021-01-18 14:08:21.175 [debug] <0.522.0>@ejabberd_bosh:active:384 Got request:
** Request: {body,<<>>,[{sid,<<"13e704a7ead1a2aef1c426b068d3ab1e9c05a8f1">>},{rid,3880420061}],[{xmlstreamelement,{xmlel,<<"auth">>,[{<<"xmlns">>,<<"urn:ietf:params:xml:ns:xmpp-sasl">>},{<<"mechanism">>,<<"PLAIN">>}],[{xmlcdata,<<"dGVzdEBjaGF0LmVudGh1emlhc3RpYy5jb20AdGVzdAB7ICAgImppZCI6ICJ0ZXN0QGV4YW1wbGUub3JnIiwgICAiZXhwIjogMTU2NDQzNjUxMSB9">>}]}}],305}
** From: {<0.516.0>,#Ref<0.1231748554.3898343425.51402>}
** State: {state,<<"domain">>,<<"13e704a7ead1a2aef1c426b068d3ab1e9c05a8f1">>,{{[],[]},0,unlimited},{{[],[]},0,unlimited},{state,1000,1000,1000,1610978901022130},<0.523.0>,<<"1.0">>,#Ref<0.1231748554.3898343425.51388>,#Ref<0.1231748554.3898343425.51387>,60,30,3880420060,<<>>,undefined,unlimited,{1,{3880420060,{body,<<>>,[{sid,<<"13e704a7ead1a2aef1c426b068d3ab1e9c05a8f1">>},{wait,60},{ver,<<"1.11">>},{polling,2},{inactivity,30},{hold,1},{'xmpp:restartlogic',true},{requests,2},{secure,true},{maxpause,120},{'xmlns:xmpp',<<"urn:xmpp:xbosh">>},{'xmlns:stream',<<"http://etherx.jabber.org/streams">>},{from,<<"domain">>}],[{xmlstreamstart,<<"stream:stream">>,[{<<"id">>,<<"12451967324874246561">>},{<<"version">>,<<"1.0">>},{<<"xml:lang">>,<<"en">>},{<<"xmlns:stream">>,<<"http://etherx.jabber.org/streams">>},{<<"from">>,<<"domain">>},{<<"xmlns">>,<<"jabber:client">>}]},{xmlstreamelement,{xmlel,<<"stream:features">>,[],[{xmlel,<<"mechanisms">>,[{<<"xmlns">>,<<"urn:ietf:params:xml:ns:xmpp-sasl">>}],[{xmlel,<<"mechanism">>,[],[{xmlcdata,<<"PLAIN">>}]},{xmlel,<<"mechanism">>,[],[{xmlcdata,<<"X-OAUTH2">>}]}]},{xmlel,<<"register">>,[{<<"xmlns">>,<<"http://jabber.org/features/iq-register">>}],[]}]}}],0},nil,nil}},{0,nil},{{[],[]},0,1000},{{0,0,0,0,0,65535,12580,18074},50622},2}
2021-01-18 14:08:21.176 [debug] <0.522.0>@ejabberd_shaper:update:75 Shaper update:
#state{maxrate = 1000,burst_size = 1000,acquired_credit = 1000,
       lasttime = 1610978901022130} =>
{#state{maxrate = 1000,burst_size = 1000,acquired_credit = 848,
        lasttime = 1610978901175960},
 0}
2021-01-18 14:08:21.176 [debug] <0.523.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_handle_recv: mod_stream_mgmt:c2s_handle_recv/3
2021-01-18 14:08:21.176 [debug] <0.523.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_auth_result: ejabberd_c2s:process_auth_result/3
2021-01-18 14:08:21.176 [warning] <0.523.0>@ejabberd_c2s:process_auth_result:276 (http_bind|<0.522.0>) Failed c2s PLAIN authentication for test@domain from ::ffff:49.36.70.154: Invalid username or password
2021-01-18 14:08:21.176 [debug] <0.523.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_auth_result: mod_fail2ban:c2s_auth_result/3
2021-01-18 14:08:21.176 [info] <0.523.0> (http_bind|<0.522.0>) Send XML on stream = <<"<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text xml:lang='en'>Invalid username or password</text></failure>">>
2021-01-18 14:08:21.177 [debug] <0.522.0>@ejabberd_bosh:do_reply:679 Send reply:
** RequestID: 3880420061
** Reply: {body,<<>>,[],[{xmlstreamelement,{xmlel,<<"failure">>,[{<<"xmlns">>,<<"urn:ietf:params:xml:ns:xmpp-sasl">>}],[{xmlel,<<"not-authorized">>,[],[]},{xmlel,<<"text">>,[{<<"xml:lang">>,<<"en">>}],[{xmlcdata,<<"Invalid username or password">>}]}]}}],0}
** To: {<0.516.0>,#Ref<0.1231748554.3898343425.51402>}
** State: {state,<<"domain">>,<<"13e704a7ead1a2aef1c426b068d3ab1e9c05a8f1">>,{{[],[]},0,unlimited},{{[],[]},0,unlimited},{state,1000,1000,848,1610978901175960},<0.523.0>,<<"1.0">>,#Ref<0.1231748554.3898343425.51415>,#Ref<0.1231748554.3898343425.51406>,60,30,3880420061,<<>>,undefined,unlimited,{1,{3880420060,{body,<<>>,[{sid,<<"13e704a7ead1a2aef1c426b068d3ab1e9c05a8f1">>},{wait,60},{ver,<<"1.11">>},{polling,2},{inactivity,30},{hold,1},{'xmpp:restartlogic',true},{requests,2},{secure,true},{maxpause,120},{'xmlns:xmpp',<<"urn:xmpp:xbosh">>},{'xmlns:stream',<<"http://etherx.jabber.org/streams">>},{from,<<"domain">>}],[{xmlstreamstart,<<"stream:stream">>,[{<<"id">>,<<"12451967324874246561">>},{<<"version">>,<<"1.0">>},{<<"xml:lang">>,<<"en">>},{<<"xmlns:stream">>,<<"http://etherx.jabber.org/streams">>},{<<"from">>,<<"domain">>},{<<"xmlns">>,<<"jabber:client">>}]},{xmlstreamelement,{xmlel,<<"stream:features">>,[],[{xmlel,<<"mechanisms">>,[{<<"xmlns">>,<<"urn:ietf:params:xml:ns:xmpp-sasl">>}],[{xmlel,<<"mechanism">>,[],[{xmlcdata,<<"PLAIN">>}]},{xmlel,<<"mechanism">>,[],[{xmlcdata,<<"X-OAUTH2">>}]}]},{xmlel,<<"register">>,[{<<"xmlns">>,<<"http://jabber.org/features/iq-register">>}],[]}]}}],0},nil,nil}},{1,{3880420061,{{<0.516.0>,#Ref<0.1231748554.3898343425.51402>},{body,<<>>,[],[],0}},nil,nil}},{{[],[]},0,1000},{{0,0,0,0,0,65535,12580,18074},50622},2}

Bug description

I have followed blog from https://www.process-one.net/blog/ejabberd-19-08/ and enabled the jwt token with ejabberd server 20.07.
I tried to create a new jwt token from https://jwt.io/ this web as attached in screen shot but when i passed the generated jwt token as a password it is giving me invalid username/password all the time.

Question

Source

vavadiyahiren

👍1

Most helpful comment

Please use

{
  "alg": "HS256",
  "typ": "JWT"
}

as header in that generator

you also need to fill sha256 in verify signature with your key - you can find it as "k" in mysecret.jwk (and check "secret is base64 encoded")

prefiks on 20 Jan 2021

👍2

All 12 comments

Even I'm facing the same issue, Let me know if you have resolved it! Thanks.

newpreneur on 18 Jan 2021

Hello,

It seems that you aren't sending correct "password'", after decoding what was sent inside <auth/> element we are getting, "JID\0{ "jid": "[email protected]", "exp": 1564436511 }", and this is just to short - it contains only header from jwt. You need to send everything that jwt.io outputs in encoded field.

I just checked that with latest version of ejabberd and it is working correctly here - tokens generated on jwt.io allow me to login to server.

prefiks on 19 Jan 2021

👍1

@vavadiyahiren
Did you able to solve it?

newpreneur on 20 Jan 2021

loglevel: 5

I'm passing JID is the Username field and JWT Token in the password field. I copied everything from encoded value from jwt.io. Can you please look at it?

2021-01-20 13:50:06.798 [info] <0.511.0> (tls|<0.511.0>) Received XML on stream = <<"<auth mechanism=\"PLAIN\" xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">AGhlbGxvAGV5SnJkSGtpT2lKdlkzUWlMQ0oxYzJVaU9pSnphV2NpTENKcmFXUWlPaUpVVjNKTFkzZFdWRmxuTUUxV09FVm5lVmw2YWpkTmNsVlhSRXBGYWw5RWNsZDBRak40V21wbGJESk5JaXdpYXlJNkltRjVaRGcyT0ZCS1l6WnBZV3RXU21GaGVXSnNVVzUxUzJJMmFWVTJPVTVoTUdkRlpUTklOVWhwYUhaeVNXTm9VVVp3T0RCTVkxWm5VbkZuV25CNFdUVldjV0pzWlRKeGQzRTFWa0o2YUhkS2FsbHdkSE00TTBGbmMwWjBNRE4zVHpWTE5VRmxaRkpIUmpSeU1USmxTazFLYjJadGNHMW1RbGxqU25CWmRUTkNTMjUxWWtkVkxUWldNa0UxV0Rkb2FVTXpZV2Q1WDFGRFIyeDFSbWhIVDBzeVpXazRVWGx0VmpWNlZHcDNNVTA1TjJkaWFXOUNjMlZ4WTJ4SU5rTmlVMVJRTXpGMlIwNHllVFZmUnpka2JXdFpUWFEyUlhsRE5GVnhPVGxGV2xBek5FTjFiRkJSWkRGalNERTVVMlpWZHpWeE1GSTNlWGRDV1hkek9XZFhiSHBpZUdoc2JIQjNWRGxRUTFCT2NFRjFlSHBUU1c5V1YzQnZjSGhxZFhSRk5XeHRWemhXY1RsQ1pFbHBkRjlUTjNGb1REUmtla2swT1hkNmEyUXlURE5KWDJ4c01ISnROMXA2ZVhKWmJHUXlUazV4VTI5WlFTSXNJbUZzWnlJNklraFRNalUySW4wLmV5SnFhV1FpT2lKMFpYTjBRR1ZqTWkwMU5DMHhORFl0TVRjMUxUSXpOUzVqYjIxd2RYUmxMVEV1WVcxaGVtOXVZWGR6TG1OdmJTSXNJbVY0Y0NJNk1UWTBNRGs1TlRJd01IMC55R1U3MmJubWFCNUhHRHlCX1puWGJ3Nkh2WHpYQmgxM1BUY1hWSHVJYTMw</auth>">> 2021-01-20 13:50:06.798 [debug] <0.511.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_auth_result: mod_fail2ban:c2s_auth_result/3 2021-01-20 13:50:06.798 [debug] <0.511.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_handle_send: mod_push:c2s_stanza/3 2021-01-20 13:50:06.798 [debug] <0.511.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_handle_send: mod_push_keepalive:c2s_stanza/3 2021-01-20 13:50:06.798 [debug] <0.511.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_handle_send: mod_stream_mgmt:c2s_handle_send/3 2021-01-20 13:50:06.798 [info] <0.511.0> (tls|<0.511.0>) Send XML on stream = <<"<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text xml:lang='en'>Invalid username or password</text></failure>">> 2021-01-20 13:50:07.123 [debug] <0.511.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_closed: mod_stream_mgmt:c2s_closed/2 2021-01-20 13:50:07.123 [debug] <0.511.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_closed: ejabberd_c2s:process_closed/2 2021-01-20 13:50:07.123 [debug] <0.511.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_terminated: mod_stream_mgmt:c2s_terminated/2 2021-01-20 13:50:07.123 [debug] <0.511.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_terminated: mod_pubsub:on_user_offline/2 2021-01-20 13:50:07.123 [debug] <0.511.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_terminated: ejabberd_c2s:process_terminated/2 2021-01-20 13:50:07.124 [info] <0.511.0> (tls|<0.511.0>) Send XML on stream = <<"</stream:stream>">>

newpreneur on 20 Jan 2021

ked that with latest version of ejabberd and it is w

@prefiks
Please refer my attached screen shot from jwt.io and can you point the possible area where i made a mistakes ?

If somebody can help me may be i can create nice documentation on it so we can have answer to all the people who is suffering from this pain.

Here it is i am sending from client side


<body rid='2875244395' xmlns='http://jabber.org/protocol/httpbind' sid='d05f2115b40d5fbfcc5c2b6cb7f3ca8a4d455f0c'><auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN'>dGVzdEBjaGF0LmVudGh1emlhc3RpYy5jb20AdGVzdABleUpyZEhraU9pSnZZM1FpTENKMWMyVWlPaUp6YVdjaUxDSnJJam9pV0dOclFsTkdOM1ZoUVRWbVZGSTBTa3N4VVd0TVlXZDFkMmc1VFU4M01GOWZhMlF6Y3poc1VGUlhZVlp0WWs5TVVFVTRTa0pKUnpGNVVITXphVzQ1V1ZOS1JWSXlVV1I0YW1WeVRtRk1WRjgyVDJodFdESktia0pmZW1WVmVqRnROMFZPTFZSb2RHSkxXRlZxZDJGMVZVMXZWRFJRUlY5bWVYVnhVRkZOZGxjdGNuTkJhMEpxYTNvd1RVMWZja3R0TXpCSmVFNU9NMjlsV0dSb1JVbG9UVWhzVmxoT2RXMU5kM3BqUnpkeVkzUlZTSFZHV20xNGMwNUxRakZEU21oVVoxSlRTa0UzZFRSUGJEQkdiVEEzUzBFNVJUUm5iSGRMTFZoa1pWbDZZVEJ1VFhWMk0wTkRPRkEzTW1sZk1XVkRkMEp6TWxWWVVubHFORlp1VW5Ka2FscG1iRmt3U1c5dFdqZHBSRzkzWkd4a1NuZDRMVmRXVGpVeGVHaDBaR0U0Wkd4T1RXRXRjRjlVU25KTGFrNW9Ra2MyWmw4MVlXWk9WM3BNUWpsb1dVbzFMVUZhWTAxcmMxcFNVR2RoWmtGMlZVRlBhWGwzSWl3aVlXeG5Jam9pU0ZNeU5UWWlmUS5leUpxYVdRaU9pSjBaWE4wUUdOb1lYUXVaVzUwYUhWNmFXRnpkR2xqTG1OdmJTSXNJbVY0Y0NJNk1UWTJORFF6TmpVeE1YMC5pM2RSSU4zcnJXQ1lSSUdhWGVIYmg5cUNnNFhKUnVoVlBzNU84YmV2aHdN</auth></body>

Here is the server log


* Request: {body,<<>>,[{sid,<<"d05f2115b40d5fbfcc5c2b6cb7f3ca8a4d455f0c">>},{rid,2875244395}],[{xmlstreamelement,{xmlel,<<"auth">>,[{<<"xmlns">>,<<"urn:ietf:params:xml:ns:xmpp-sasl">>},{<<"mechanism">>,<<"PLAIN">>}],[{xmlcdata,<<"dGVzdEBjaGF0LmVudGh1emlhc3RpYy5jb20AdGVzdABleUpyZEhraU9pSnZZM1FpTENKMWMyVWlPaUp6YVdjaUxDSnJJam9pV0dOclFsTkdOM1ZoUVRWbVZGSTBTa3N4VVd0TVlXZDFkMmc1VFU4M01GOWZhMlF6Y3poc1VGUlhZVlp0WWs5TVVFVTRTa0pKUnpGNVVITXphVzQ1V1ZOS1JWSXlVV1I0YW1WeVRtRk1WRjgyVDJodFdESktia0pmZW1WVmVqRnROMFZPTFZSb2RHSkxXRlZxZDJGMVZVMXZWRFJRUlY5bWVYVnhVRkZOZGxjdGNuTkJhMEpxYTNvd1RVMWZja3R0TXpCSmVFNU9NMjlsV0dSb1JVbG9UVWhzVmxoT2RXMU5kM3BqUnpkeVkzUlZTSFZHV20xNGMwNUxRakZEU21oVVoxSlRTa0UzZFRSUGJEQkdiVEEzUzBFNVJUUm5iSGRMTFZoa1pWbDZZVEJ1VFhWMk0wTkRPRkEzTW1sZk1XVkRkMEp6TWxWWVVubHFORlp1VW5Ka2FscG1iRmt3U1c5dFdqZHBSRzkzWkd4a1NuZDRMVmRXVGpVeGVHaDBaR0U0Wkd4T1RXRXRjRjlVU25KTGFrNW9Ra2MyWmw4MVlXWk9WM3BNUWpsb1dVbzFMVUZhWTAxcmMxcFNVR2RoWmtGMlZVRlBhWGwzSWl3aVlXeG5Jam9pU0ZNeU5UWWlmUS5leUpxYVdRaU9pSjBaWE4wUUdOb1lYUXVaVzUwYUhWNmFXRnpkR2xqTG1OdmJTSXNJbVY0Y0NJNk1UWTJORFF6TmpVeE1YMC5pM2RSSU4zcnJXQ1lSSUdhWGVIYmg5cUNnNFhKUnVoVlBzNU84YmV2aHdN">>}]}}],1081}
** From: {<0.519.0>,#Ref<0.828007414.1932263425.10384>}
** State: {state,<<"domain">>,<<"d05f2115b40d5fbfcc5c2b6cb7f3ca8a4d455f0c">>,{{[],[]},0,unlimited},{{[],[]},0,unlimited},{state,1000,1000,1000,1611152756120256},<0.521.0>,<<"1.0">>,#Ref<0.828007414.1932263425.10376>,#Ref<0.828007414.1932263425.10337>,60,30,2875244394,<<>>,undefined,unlimited,{1,{2875244394,{body,<<>>,[{sid,<<"d05f2115b40d5fbfcc5c2b6cb7f3ca8a4d455f0c">>},{wait,60},{ver,<<"1.11">>},{polling,2},{inactivity,30},{hold,1},{'xmpp:restartlogic',true},{requests,2},{secure,true},{maxpause,120},{'xmlns:xmpp',<<"urn:xmpp:xbosh">>},{'xmlns:stream',<<"http://etherx.jabber.org/streams">>},{from,<<"domain">>}],[{xmlstreamstart,<<"stream:stream">>,[{<<"id">>,<<"12041665441742072190">>},{<<"version">>,<<"1.0">>},{<<"xml:lang">>,<<"en">>},{<<"xmlns:stream">>,<<"http://etherx.jabber.org/streams">>},{<<"from">>,<<"domain">>},{<<"xmlns">>,<<"jabber:client">>}]},{xmlstreamelement,{xmlel,<<"stream:features">>,[],[{xmlel,<<"mechanisms">>,[{<<"xmlns">>,<<"urn:ietf:params:xml:ns:xmpp-sasl">>}],[{xmlel,<<"mechanism">>,[],[{xmlcdata,<<"PLAIN">>}]},{xmlel,<<"mechanism">>,[],[{xmlcdata,<<"X-OAUTH2">>}]}]},{xmlel,<<"register">>,[{<<"xmlns">>,<<"http://jabber.org/features/iq-register">>}],[]}]}}],0},nil,nil}},{0,nil},{{[],[]},0,1000},{{0,0,0,0,0,65535,12580,18074},53722},2}
2021-01-20 14:25:56.268 [debug] <0.520.0>@ejabberd_shaper:update:75 Shaper update:
#state{maxrate = 1000,burst_size = 1000,acquired_credit = 1000,
       lasttime = 1611152756120256} =>
{#state{maxrate = 1000,burst_size = 1000,acquired_credit = 66,
        lasttime = 1611152756268174},
 0}
2021-01-20 14:25:56.268 [debug] <0.521.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_handle_recv: mod_stream_mgmt:c2s_handle_recv/3
2021-01-20 14:25:56.280 [debug] <0.521.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_auth_result: ejabberd_c2s:process_auth_result/3
2021-01-20 14:25:56.280 [warning] <0.521.0>@ejabberd_c2s:process_auth_result:276 (http_bind|<0.520.0>) Failed c2s PLAIN authentication for test@domain from ::ffff:49.36.70.154: Invalid username or password
2021-01-20 14:25:56.280 [debug] <0.521.0>@ejabberd_hooks:safe_apply:231 Running hook c2s_auth_result: mod_fail2ban:c2s_auth_result/3
2021-01-20 14:25:56.284 [info] <0.521.0> (http_bind|<0.520.0>) Send XML on stream = <<"<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text xml:lang='en'>Invalid username or password</text></failure>">>
2021-01-20 14:25:56.285 [debug] <0.520.0>@ejabberd_bosh:do_reply:679 Send reply:
** RequestID: 2875244395
** Reply: {body,<<>>,[],[{xmlstreamelement,{xmlel,<<"failure">>,[{<<"xmlns">>,<<"urn:ietf:params:xml:ns:xmpp-sasl">>}],[{xmlel,<<"not-authorized">>,[],[]},{xmlel,<<"text">>,[{<<"xml:lang">>,<<"en">>}],[{xmlcdata,<<"Invalid username or password">>}]}]}}],0}
** To: {<0.519.0>,#Ref<0.828007414.1932263425.10384>}
** State: {state,<<"domain">>,<<"d05f2115b40d5fbfcc5c2b6cb7f3ca8a4d455f0c">>,{{[],[]},0,unlimited},{{[],[]},0,unlimited},{state,1000,1000,66,1611152756268174},<0.521.0>,<<"1.0">>,#Ref<0.828007414.1932263425.10414>,#Ref<0.828007414.1932263425.10388>,60,30,2875244395,<<>>,undefined,unlimited,{1,{2875244394,{body,<<>>,[{sid,<<"d05f2115b40d5fbfcc5c2b6cb7f3ca8a4d455f0c">>},{wait,60},{ver,<<"1.11">>},{polling,2},{inactivity,30},{hold,1},{'xmpp:restartlogic',true},{requests,2},{secure,true},{maxpause,120},{'xmlns:xmpp',<<"urn:xmpp:xbosh">>},{'xmlns:stream',<<"http://etherx.jabber.org/streams">>},{from,<<"domain">>}],[{xmlstreamstart,<<"stream:stream">>,[{<<"id">>,<<"12041665441742072190">>},{<<"version">>,<<"1.0">>},{<<"xml:lang">>,<<"en">>},{<<"xmlns:stream">>,<<"http://etherx.jabber.org/streams">>},{<<"from">>,<<"domain">>},{<<"xmlns">>,<<"jabber:client">>}]},{xmlstreamelement,{xmlel,<<"stream:features">>,[],[{xmlel,<<"mechanisms">>,[{<<"xmlns">>,<<"urn:ietf:params:xml:ns:xmpp-sasl">>}],[{xmlel,<<"mechanism">>,[],[{xmlcdata,<<"PLAIN">>}]},{xmlel,<<"mechanism">>,[],[{xmlcdata,<<"X-OAUTH2">>}]}]},{xmlel,<<"register">>,[{<<"xmlns">>,<<"http://jabber.org/features/iq-register">>}],[]}]}}],0},nil,nil}},{1,{2875244395,{{<0.519.0>,#Ref<0.828007414.1932263425.10384>},{body,<<>>,[],[],0}},nil,nil}},{{[],[]},0,1000},{{0,0,0,0,0,65535,12580,18074},53722},2}

vavadiyahiren on 20 Jan 2021

Please use

{
  "alg": "HS256",
  "typ": "JWT"
}

as header in that generator

you also need to fill sha256 in verify signature with your key - you can find it as "k" in mysecret.jwk (and check "secret is base64 encoded")

prefiks on 20 Jan 2021

👍2

Please use
{
  "alg": "HS256",
  "typ": "JWT"
}
as header in that generator

you also need to fill sha256 in verify signature with your key - you can find it as "k" in mysecret.jwk (and check "secret is base64 encoded")

@prefiks
If you don't mind can you give me personal contact or email ?

vavadiyahiren on 20 Jan 2021

Please use this ticket, it can be helpful for others as well.

prefiks on 20 Jan 2021

Please use this ticket, it can be helpful for others as well.

and others can help :)

Part of the problem is that the username JID provided does not match that in the JWT

In https://github.com/processone/ejabberd/issues/3491#issuecomment-763622548, Username JID is "hello" but the JID in the JWT is "[email protected]" - they must match.

In https://github.com/processone/ejabberd/issues/3491#issuecomment-763636306, Username JID is "[email protected]\0test" (actually not sure if this will parse correctly at all, it looks like there are 3 \0 separated fields in <auth/> here) but the JID in the JWT is "[email protected]"

nosnilmot on 20 Jan 2021

Please use
{
  "alg": "HS256",
  "typ": "JWT"
}
as header in that generator

you also need to fill sha256 in verify signature with your key - you can find it as "k" in mysecret.jwk (and check "secret is base64 encoded")

Bingo it worked thanks for a help :)

vavadiyahiren on 20 Jan 2021

Those zeros are part of plain authenticaiton, it's build from 3 component, username, zone, and password combined with \0 and base64 encoded.

Both of those tokens have wrong header, in both you passed your secret key, but it should just have alg, and typ. As i said above secret key (and by that i mean 'k' from that json file), should be passed as sha256 key in that generator, and it should work like that.

prefiks on 20 Jan 2021

🎉1

Please use this ticket, it can be helpful for others as well.

and others can help :)

Part of the problem is that the username JID provided does not match that in the JWT

In #3491 (comment), Username JID is "hello" but the JID in the JWT is "[email protected]" - they must match.

In #3491 (comment), Username JID is "[email protected]\0test" (actually not sure if this will parse correctly at all, it looks like there are 3 \0 separated fields in here) but the JID in the JWT is "[email protected]"