[GitHub] [pulsar] acortes-okode commented on issue #16626: WebSocket 'token' request param authorization not working

[GitBox <gi...@apache.org>]

acortes-okode commented on issue #16626:
URL: https://github.com/apache/pulsar/issues/16626#issuecomment-1186825568

   Hi @Technoboy- , thanks for your time!
   
   I'm not using the `sub` claim of the token as the role one, I have configured `tokenAuthClaim=roles` in order to use the `roles` claim as the one to be checked, it has only one role and is the `superuser` one (which is also configured as the `superUserRoles `).
   
   This setup works as expected since I can consume and produce if I set that token on the `Authorization` header of the WebSocket request by using a nodejs library (or by configuring the bin/pulsar-client to use it). But I cannot make it work by using the `token` request parameter, which is the only way authorization can be set on the browser WebSocket client implementation, since it does not accept custom headers.
   
   Moreover, the error I get is the one saying `authentication required` instead of something regarding authorization and the class that is giving me the error is the [AuthenticationFilter](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java), which, by looking the code, I expect it to validate the JWT token as the secret is correct and let the authorization flow, on the [AbstractWebSocketHandler](https://github.com/apache/pulsar/blob/master/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/AbstractWebSocketHandler.java#L120), to check for authorization.
   
   Thank you once again!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org