JWT Token Authentication and Disable SASL Authentication

Hi Team,

We are trying to integrate Openfire in our organisation. It seems to be very good opensource server library for chat. Thanks to the community and team.

I am trying to do some code changes or write a plugin which basically disables the SASL authentication and user name password authentication, which is used in the http-bind embedded bosh server in openfire.

I want the authentication to be done based on JWT token which will be passed in the cookies in request from front end. This JWT token will contain the username and once user will try to access openfire than it will automatically get logged in and create a session by extracting the user details from the JWT token.

Is there any way to write a plugin (which class I need to extend ? ) or configuration to achieve this.

I have looked into the source code and finds that currently BoshServer is getting initiated from HttpBindManager and while registering HttpBindServlet there is no option to register any Filters, is it possible to register custom filters in plugin?

Also I have seen that HttpServletRequest object is only available in HttpBindServlet and there is no provision to retrieve the cookies or pass cookies into other layer. also in SessionPacketRouter while routing packages SASLAuthentication.handle(session, wrappedElement); is hardcoded and no provision to call any plugin class.

We are trying to connect with Strophe.js or conversejs for the front end.

1 Like

To use JWT authentication , you can create a custom implementation of the interface:

public interface AuthProvider {...}

And use the “password” field of the Authenticate(login, password) method to pass the token (and pass the login as the login). It’s what we are doing through Strophe.js and it’s working.

Then in the properties of the server, you have to configure the server property:

provider.auth.className

to the class name of you custom implementation. Note that to implement that it’s better to create a classical JAR that you will store in the /lib folder of Openfire, not a plugin (because of classpath limitation due to security reason).

You can also desactivate all the other auth providers by removing them from Openfire properties.

1 Like

I’m implementing the same thing.Let me know if this is working for you.

I didn’t understand the classpath limitation . what do you mean by that?

@ Vinit ParadoX, Yes the above approach works for me for JWT authentication

@BPT Thanks, I tried in this way

  1. Change the SASL mechanism to PLAIN in conversejs or Strophe Js to that it will call the authenticate method of AuthProvider because default SCRAM-SHA-1 doesn’t call the authenticate.
  2. I created a simple jar with Class extending the AuthProvider and have written my logic to use JWT token and than do the successful login.

But I have a doubt as the above approach which I followed is not a proper architecture by doing authentication again in Openfire.
Is there any functionality or SSO approach which I can follow to remove this second authentication in Openfire if first authentication in my application is successful.
is there any way via SSO where I can pass the user context with roles and then the openfire should create the session

@Vinit_ParadoX, In Openfire the plugins are loaded by a separate classloader (a child of Openfire’s main classloader)in Openfire, so that means that plugins will not have the rights to access all API/methods/functions/objects… of Openfire during runtime. And for authentication you need to access low-level code of Openfire. (See this Custom authProvider class not found when deploying plugin)

@gauravdalela, if you want a “real” SSO like CAS, OAuth, SAMLv2… then you will have to implement it in Openfire because currently it doesn’t exist.

@Bpt thanks for reply, I just curious to understand if SAMv2 or OAuth SSO can be implemented without changing the openfire source code, can we write any plugin or any interface which we can implement, I see for active directory How To: Video on setting up SSO/AD with Openfire which mentioned but for other mechanism . is there any video or do you have any article which I can refer for eg. SAML with out changing source code of openfire but we are open to write any plugins or external lib…Thanks for your support

No I think currently there is not “one interface” that could be implemented to add OAuth or SAMLv2. It will need modifications in the codebase of Openfire. And by the way I wonder how easy or not it could be as you have multiple “entry points” to protect (xmpp native connection, http bind (bosh) connections, websockets connections…). You will have to dig into their RFCs to see how they can be protected by SSO mechanisms :slightly_smiling_face:

1 Like

Can you share me the steps to implement jwt auth. I’m fairly new in openfire.

@Vinit_ParadoX
Step 1: You need to use some third party or some external code to generate the JWT token which will have the User Identity or roles or else which you want later.
Step 2: Create a simple Java project and create some class which should implement AuthProvider and override authenticate method.
Step 3: in the authenticate write your logic to get the claims from JWT token and perform the success-full authentication if your JWT able to decrypt based on Algorithm and secret key, remember secret key and Algorithm should be same as you used in Step 1 while generating JWT token.
Step 4: Pass JWT token from front end via passing in password parameter either from Strophe or Converse

1 Like

Thanks a lot.!!

When a create a java module in openfire folder. I am unable to implement Auth Provider. because i cannot import it. Do i have to make it a plugin ?

Please create a maven project and add dependency to xmppserver jar or via adding dependency via build path

1 Like

Thanks

You steps worked fine. I have another question. My requirement is to authenticate through jwt only so,
client will send jwt token without any username. The token will contain username so how does this affect later processing? How can i provide openfire the username at the time of authentication? is the same param then sent to get chat history?