JWT Based Auth

Hi everyone! I’m having some trouble trying to figure out how to use JWT based authentication and I was hoping someone could point me to the right direction :sweat_smile:

Documentation states that "Requests to the server need to contain a valid JWT token in the Authorization header that is signed using this secret and the HS256 algorithm.

The user must have username and role attributes. If the role is admin, all endpoints are accessible. If the role is user, endpoints with a sender_id parameter are only accessible if the sender_id matches the user’s username."

I was wondering how is it possible to assign to user an username and role attributes? Another question is what could be going wrong in my request (jwtToken is matching --jwt-secret in rasa run command):

curl -X POST \
  http://localhost:5002/conversations/default/execute \
  -H 'Authorization: Bearer jwtToken' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "utter_ajuda"
}'

{
    "version": "1.2.5",
    "status": "failure",
    "message": "User is not authenticated.",
    "reason": "NotAuthenticated",
    "details": {},
    "help": "https://rasa.com/docs/rasa/user-guide/running-the-server/#security-considerations",
    "code": 401
} 

A bit new to this, hope someone can help! Thanks a lot in advance :relaxed:

Hi @carla.lmeida, thanks for your question. As you pointed out correctly, you need to attach an Authorization header with a signed JWT to your request. The payload of that JWT needs to be a dictionary with a user field, containing a dictionary with username and role fields. Here’s one way of achieving this in python:

import jwt 

payload = {"user": {"username": "user123", "role": "admin"}}
signed = jwt.encode(payload, "secret", algorithm='HS256')

now if you want to send off the request in python, your auth header would be

header = {"Authorization": "Bearer {}".format(signed)}

or if not you may take the string signed and build a header for your curl command:

-H 'Authorization: Bearer <signed>'

I hope that helps!

3 Likes

@ricwo In my case I am using socket.io in angular to connect with rasa by specifying user_uttered and bot_uttered. Its working perfectly fine and im able to communicate with the server without any hassles. I want to JWT based authentication for some actions. How can i pass jwt token from the angular file itself. The documentation is not detailed. There mus be a step by step guide for achieving that too.

1 Like

hello, could you please guide me how you implemented JWT authentication on rasa server. I ran my chatbot using rasa run
-m models
–enable-api
–log-file out.log
–jwt-secret thisismysecret

Still I am able to request the server without providing any jwt token while hitting the chatbot API. Thanks in advance