You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: security-compatibility-with-mysql.md
+122-1Lines changed: 122 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -145,4 +145,125 @@ The support for TLS authentication is configured differently. For detailed infor
145
145
146
146
`tidb_auth_token` is a JSON Web Token (JWT) based authentication method used in TiDB Cloud, which can be used for self-hosted after configuration. Different from authentication based on password like `mysql_native_password` or `caching_sha2_password`, when creating users in `tidb_auth_token`, no custom password is needed. When authenticating users with `tidb_auth_token` for logging to TiDB, a signed token is required instead of password, which simplifying the authentication process and improving the security.
147
147
148
-
JWT consists of 3 parts: Header, Payload, and Signature.
148
+
JWT consists of 3 parts: Header, Payload, and Signature. After being encoded using base64, they are concatenated into a stirng separated by dots (`.`).
149
+
150
+
The Header describe the meta data of the JWT, including 3 parameters:
151
+
152
+
*`alg` means the algorithm for signature, default as `RS256`
153
+
*`typ` means the type of token, unified as `JWT`
154
+
*`kid` means the key id for generating token signature
155
+
156
+
Here is an example for Header:
157
+
158
+
```json
159
+
{
160
+
"alg": "RS256",
161
+
"kid": "the-key-id-0",
162
+
"typ": "JWT"
163
+
}
164
+
```
165
+
166
+
The Payload is the main part of JWT, which stores the user information in *clains*. These claims are required by `tidb_auth_token` users:
167
+
168
+
*`iss`: if `TOKEN_ISSUER` is not set or set to empty when [`CREATE USER`](/sql-statements/sql-statement-create-user.md), this claim is not required; or this claim should be the same as the setting value
169
+
*`sub`: this claim is required to be the same as the user name
170
+
*`iat`: means `issued at`. In TiDB, it is required not to be later than the time of authentication and not earlier than 15 minutes before authentication
171
+
*`exp`: means `expiration time`. If it is earlier than the time of authentication, the authentication fails
172
+
173
+
In addition, some other claim(s) are required in TiDB:
174
+
175
+
*`email`: The email can be specified when creating user by `ATTRIBUTE '{"email": "[email protected]"}`. If no email was giving when creating user, this claim should be set as an empty string; or it should be the same as the specified value
> 1. The encoding of the Header and Payload in base64 is reversible. Please do not attach any sensitive information in them
205
+
> 2. The `tidb_auth_token` authentication requires that the client supports [`mysql_clear_password`](https://dev.mysql.com/doc/refman/8.0/en/cleartext-pluggable-authentication.html) plugin to send the token to TiDB in clear text. Therefore, please [enale TLS between clients and servers](/enable-tls-between-clients-and-servers.md) before using `tidb_auth_token`
206
+
207
+
Here are the steps to config before using `tidb_auth_token`:
208
+
209
+
1. Config [`auth-token-jwks`](/tidb-configuration-file.md#auth-token-jwks-new-in-v640) and [`auth-token-refresh-interval`](/tidb-configuration-file.md#auth-token-refresh-interval-new-in-v640) in the configuration file
210
+
2. Save the JWKS periodly to the path specified by `auth-token-jwks`
211
+
3. Create a user with `tidb_auth_token`, and sepcify `iss` and `email` by `REQUIRE TOKEN_ISSUER` and `ATTRIBUTE '{"email": "[email protected]"}`
212
+
4. Generate and sign a token used for authentication, authencating with mysql client's `mysql_clear_text` plugin
213
+
214
+
#### Example
215
+
216
+
1. Install JWT genration tool by `go install github.com/cbcwestwolf/generate_jwt`. This tool is only used for testing `tidb_auth_token`
217
+
2. Get the example JWKS: `wget https://raw.githubusercontent.com/CbcWestwolf/generate_jwt/master/JWKS.json`
218
+
3. Config the path of above JWKS in `config.toml`:
Note that the mysql client here should support `mysql_clear_password` plugin. [mycli](https://www.mycli.net/) supports and enable this plugin default. If using [mysql command-line client](https://dev.mysql.com/doc/refman/8.0/en/mysql.html), an option `--enable-cleartext-plugin` is required to enable this plugin.
262
+
263
+
```Shell
264
+
mysql -h 127.0.0.1 -P 4000 -u '[email protected]' -p'<the-token-generated>' --enable-cleartext-plugin
265
+
```
266
+
267
+
If specifying wrong `--sub` when generating token, like `--sub "[email protected]`, the authentication using this token would fail.
268
+
269
+
You can encode and decode a token with the help of the debugger in [jwt.io](https://jwt.io/).
0 commit comments