Cannot wrap my head around JWT authentication/authorization

Hi experts,

I have a hard time going from Python “influxdb” package 5.3.0 to new Python “influxdb-client” package 1.11.0. With the new version of the Python API package, the client exclusively connects via JWT authentication token. However, I am completely unexperienced in this matter and quite lost.

The documentation (Authentication and authorization in InfluxDB | InfluxDB OSS 1.8 Documentation) tells me to create my own JWT token via http://jwt.io - which (seems to) work(s).

For the token creation I use my former user / password to create the token in the following way - header:

{
    "alg": "HS256"
    "typ": "JWT"
}

The payload looks like this:

{
    "username": "the_user_name",
    "exp": 253402214400 (comment: 9999-12-31)
}

In the “verify signature” I use the following:

HMACSHA256(
    base64UrlEncode(header) + "." +
    base64UrlEncode(payload),
    <password of the_user_name in InfluxDB>
)

If I define the “shared-secret” in the [http] section of the /etc/influxdb/influxdb.config file like:

shared-secret =  <password of the_user_name in InfluxDB>

and use the token generated via http://jwt.io I can perform successful curl calls like:

curl -XPOST "http://myserver:8086/query?db=mydb" --data-urlencode "q=SHOW SERIES" --header "Authorization: Bearer <token created via jwt.io>"

However, when I use the same token in my Python code:

influx_client: InfluxDBClient = InfluxDBClient(url=server_address + ':8086', use_udp=False,
                                                            token=<token from jwt.io>)

influx_client.query_api().query_data_frame(sql_like_query_statement)

I get an

influxdb_client.rest.ApiException: (401)
Reason: Unauthorized
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'Request-Id': '3d843831-0cb5-11eb-8005-02ff0a0a2610', 'Www-Authenticate': 'Basic realm="InfluxDB"', 'X-Influxdb-Build': 'OSS', 'X-Influxdb-Version': '1.8.0', 'X-Request-Id': '3d843831-0cb5-11eb-8005-02ff0a0a2610', 'Date': 'Mon, 12 Oct 2020 18:03:32 GMT', 'Content-Length': '55'})
HTTP response body: b'{"error":"unable to parse authentication credentials"}\n'

What am I doing wrong?

Hello @wgeithner,
Have you seen this documentation?

and this example of using the client with 1.x?

Does that help?