JWT-AUTH not work well per the documentation guidance

[lewiseliu]

Hi Community

We tried to setup the key pair feature on base of JWT-Auth and Public-API plugin. But seems the documentation guidance can not works well, now we are blocking on curl 'http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key' which feedback '404 Not Found'.

The guidance we are following include:

• jwt-auth: https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/jwt-auth.md
• jwt-auth: https://apisix.apache.org/docs/apisix/plugins/jwt-auth/
• public-api: https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/public-api.md

Please refer to our operation step as Appendix.

Your feedback is really appreciated so much.........................................

Appendix:
create a Consumer object through the Admin API:

$ curl http://127.0.0.1:9080/apisix/admin/consumers \
> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
> {
>     "username": "jack",
>     "plugins": {
>         "jwt-auth": {
>             "key": "user-key",
>             "secret": "my-secret-key"
>         }
>     }
> }'

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 411 0 259 100 152 10891 6391 --:--:-- --:--:-- --:--:-- 18681{"node":{"value":{"create_time":1660214479,"username":"jack","plugins":{"jwt-auth":{"algorithm":"HS256","secret":"my-secret-key","key":"user-key","base64_secret":false,"exp":86400}},"update_time":1660214479},"key":"/apisix/consumers/jack"},"action":"set"}

$ curl http://127.0.0.1:9080/apisix/admin/routes/jas \
> -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
> {
>     "uri": "/apisix/plugin/jwt/sign",
>     "plugins": {
>         "public-api": {}
>     }
> }'

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 305 0 215 100 90 7439 3114 --:--:-- --:--:-- --:--:-- 11296{"node":{"value":{"uri":"/apisix/plugin/jwt/sign","priority":0,"update_time":1660214958,"status":1,"plugins":{"public-api":{}},"create_time":1660214958,"id":"jas"},"key":"/apisix/routes/jas"},"action":"set"}

$ curl http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key -i
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 150 100 150 0 0 8385 0 --:--:-- --:--:-- --:--:-- 9375HTTP/1.1 404 Not Found
Server: openresty
Date: Thu, 11 Aug 2022 10:50:39 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 150
Connection: keep-alive

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>openresty</center>
</body>
</html>

enable public-api Plugin on a specific Route as shown below:

curl -X PUT 'http://127.0.0.1:9080/apisix/admin/routes/r1' \
    -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
    -H 'Content-Type: application/json' \
    -d '{
    "uri": "/apisix/plugin/jwt/sign",
    "plugins": {
        "public-api": {}
    }
}'

$ curl -X PUT 'http://127.0.0.1:9080/apisix/admin/routes/r1' \

-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
-H 'Content-Type: application/json' \
-d '{
"uri": "/apisix/plugin/jwt/sign",
"plugins": {
    "public-api": {}
}

}'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 302 0 213 100 89 6584 2751 --:--:-- --:--:-- --:--:-- 9741{"node":{"value":{"uri":"/apisix/plugin/jwt/sign","priority":0,"update_time":1660215178,"status":1,"plugins":{"public-api":{}},"create_time":1660215178,"id":"r1"},"key":"/apisix/routes/r1"},"action":"set"}

$ curl 'http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 150 100 150 0 0 5644 0 --:--:-- --:--:-- --:--:-- 6250

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>openresty</center>
</body>
</html>

Besides, we found there shoudl be a bug in APISIX Helm chart, it is, the Plugins lacked public-api in the values.yaml. Only after we add it, below operation can works "curl http://127.0.0.1:9080/apisix/admin/routes/jas". But the token still unable to sign with curl 'http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key'`

[bzp2010]

Hi, @lewiseliu

Yes, the list of plugins is now in the values file of the helm chart, it may not be up to date. You can create an issue https://github.com/apache/apisix-helm-chart/issues/new here to expose this issue.

[lewiseliu]

@tzssangglass, really appreciated. Please below link for the online Tencent meeting. it is drafted on 19:00 - 23:00 Saterday (Today). But it is really up to your available time slot. (We are reading the source code of JWT-AUTH as well)

会议时间：2022/08/15 11:00-12:00 (GMT+08:00) 中国标准时间 - 北京

点击链接入会，或添加至会议列表：
https://meeting.tencent.com/dm/kSxGTqQGUksC

#腾讯会议：898-880-424

[tzssangglass]

Sorry, that's my time off, we can reschedule a meeting during work hours.

[lewiseliu]

@tzssangglass Sure, up to your time, no worry. Please check below time slot availability:
会议时间：2022/08/15 11:00-12:00 (GMT+08:00) 中国标准时间 - 北京
https://meeting.tencent.com/dm/kSxGTqQGUksC
#腾讯会议：898-880-424
By the way, we study on the test case for public_api from t\plugin\public-api.t, but we still not make it work.

[tzssangglass]

got it

[tzssangglass]

after the meeting, we fixed this. It is due to the local configuration.

[lewiseliu]

We moved values.yaml issue ("curl http://127.0.0.1:9080/apisix/admin/routes/jas") to another issue session(apache/apisix-helm-chart#324) , and here only talk about 404 not found with curl 'http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key'`

This JWT-AUTH questions already be answered by @tzssangglass per call.

[tokers]

@lewiseliu BTW, do you see any suspicious logs in error.log?

[tzssangglass]

we have fixed this.

[lewiseliu]

Thanks online call help from @tzssangglass, finally it was resolved, with below summary. Thanks you for your caring @tokers

Lesson Learn:
On official documentation, only 9080 port is mentioned on curl test case, and not highlighted about the admin port 9180 and runtime port 9080. So that with Helm deployment, we misunderstand Admin port for Token issue instead of runtime port, which is the root cause about this 404 issue.

Troubleshooting Steps:

1.	Housekeeping etcd data, by deleting etcd pod
The background is, the poc etcd storage was setup on base of temporary storage;
2.	Network exposing
$ Kubectl get pods 
$ kubectl port-forward pods/apisix-898d998c8-hdpzs 9080:9080
$ kubectl port-forward pods/apisix-898d998c8-hdpzs 9180:9180
$ kubectl port-forward svc/apisix-dashboard 8080:80
Note: On official documentation, every thing is about 9080, and not highlighted about the admin port 9180 and runtime port 9080, so that on Helm deployment scenario, we misused Admin port for Token issue, which is the root cause about this 404 issue. 

3.	Setup public_api plugin route
curl --location --request PUT 'http://localhost:9180/apisix/admin/routes/r1 \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' \
--data-raw '{
    "uri": "/apisix/plugin/jwt/sign",
    "plugins": {
        "public-api": {}
    }
}'

Response:
{
    "node": {
        "value": {
            "update_time": 1660553783,
            "create_time": 1660549078,
            "priority": 0,
            "plugins": {
                "jwt-auth": {
                    "key": "user-key",
                    "query": "jwt",
                    "header": "authorization",
                    "secret": "user-key",
                    "cookie": "jwt"
                },
                "public-api": {}
            },
            "id": "user",
            "uri": "/apisix/plugin/jwt/sign",
            "status": 1
        },
        "key": "/apisix/routes/user"
    },
    "action": "set"
}


4.	Access test
If no authentication, the public-api can not be consumed. 
Access to http://127.0.0.1:9080/apisix/plugin/jwt/sign, 404 will be responsed. 

Note: by default there are 2 listener ports on apisix pod, 9080 and 9180. 
9080 for runtime gateway and 9180 for admin. 

5.	Setup JWT_AUTH Plugin consumer for authorization sign
	
Note: 可以选择jwt-auth（key/secret模式）或者直接key-auth
curl --location --request PUT 'http://localhost:9180/apisix/admin/consumers' \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' \
--data-raw '{
    "username": "jack",
    "plugins": {
        "jwt-auth": {
            "key": "user-key",
            "secret": "my-secret-key"
        }
    }
}'


Response:
{
    "node": {
        "value": {
            "plugins": {
                "jwt-auth": {
                    "exp": 86400,
                    "key": "user-key",
                    "base64_secret": false,
                    "secret": "my-secret-key",
                    "algorithm": "HS256"
                }
            },
            "update_time": 1660556291,
            "username": "jack",
            "create_time": 1660555518
        },
        "key": "/apisix/consumers/jack"
    },
    "action": "set"
}

6.	Access test

curl --location --request GET 'http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key'

response:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTY2MDY0MjQ3MH0.wyXGkWxkwrZOnq-W2YutCi0zfXCv1ry1UeYgrQFB7ls