You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2021/09/19 10:09:00 UTC
[GitHub] [couchdb] loylick opened a new issue #3758: JWT auth doesn't pick up roles
loylick opened a new issue #3758:
URL: https://github.com/apache/couchdb/issues/3758
## Description
Hi! I've encounted an issue when using JWT authentication in couchdb. I had to compile Couchdb from sources to make JWT authentication work. I use the branch 3.x. First I tried to pass roles to couchdb through the custom claim _couchdb.roles. When I failed I looked at recent issues resolved and found that there was a new configuration field "roles_claim_name" in [jwt_auth] section. So, I added a line roles_claim_name = couchdbroles into [jwt_auth] section of local.ini file. The authentication succeeds, the username is passed correctly from the "sub" claim, but the roles are not passed from JWT token.
## Steps to Reproduce
I used such request to get authenticated:
curl -L -X GET 'http://127.0.0.1:5984/_session' \
-H 'Content-Type: application/json; charset=utf-8' \
-H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZN2lDWWlJSnZyMUdLV0d4bG9jVS1GSWhISVVLTHRXRFQ4RjFRczN3MWxVIn0.eyJleHAiOjE2MzIwNDQ5NTksImlhdCI6MTYzMjA0NDY1OSwianRpIjoiYmVmMzNhN2EtNjczMi00N2YwLTg3YmYtM2RmMDJmYWY0Yzk5IiwiaXNzIjoiaHR0cDovLzE1OC42OS4yNDguNjo4MTgwL2F1dGgvcmVhbG1zL3F1aW1hbmFnZSIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJiNWVmZWQ2Ny03MzFjLTQwOGYtOGMyMi1lMTgyMzA5Y2YzZWIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJrZXltYW5hZ2UtYXBwIiwic2Vzc2lvbl9zdGF0ZSI6IjRjMGQ3YzIwLWFiZmUtNDI1OS05NmM4LTE2MDdkYzIxOWFhNSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJkZWZhdWx0LXJvbGVzLXF1aW1hbmFnZSIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsia2V5bWFuYWdlLWFwcCI6eyJyb2xlcyI6WyJkZXZlbG9wcGVyIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiNGMwZDdjMjAtYWJmZS00MjU5LTk2YzgtMTYwN2RjMjE5YWE1IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJjb3VjaGRicm9sZXMiOlsiZ
GV2ZWxvcHBlciJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciJ9.csbf8SX0dqD8FjU9iwSWxfVxBMF3eEcS7GRDzJ2tvw1IipFAInb4a-abNFEB6rErcRYiONlAbGTLGBjqT2Z0TGabGXBxXCB3A4F5q243DIY9WUBAO9_xiFQpeQCgLUYhdY5ensU5tYipcXn5-kLxruwhqDqpEFnpYQsulmIYE3MV3xmcazsBTGBDPILOoZK5FGYKlN3IvULi4cEpU_PZQqE-NNDwG1mkzla-mbH-hFv8t9lnIs94M9j7sUehtBP8Lhx76WJZPJJ0BwUkqHrP6mICZq0z6fzC057TyqqzwoCbNFSlbDcLLNVEt4zIF4WCkq-O8t3b1xLXN1j7RGvowA'
the response I got:
{"ok":true,"userCtx":{"name":"b5efed67-731c-408f-8c22-e182309cf3eb","roles":[]},"info":{"authentication_handlers":["jwt","cookie","default"],"authenticated":"jwt"}}
## Expected Behaviour
I expect that the custon claim "couchdbroles: ["developer"] would be passed to couchdb and the response of couchdb should be:
{"ok":true,"userCtx":{"name":"b5efed67-731c-408f-8c22-e182309cf3eb","roles":["developer"]},"info":{"authentication_handlers":["jwt","cookie","default"],"authenticated":"jwt"}}
## Your Environment
my OS is: Linux 4.15.0-142-generic #146-Ubuntu SMP Tue Apr 13 01:11:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
curl http://127.0.0.1:5984
{"couchdb":"Welcome","version":"3.1.1-2871128","git_sha":"2871128","uuid":"45b6dd1db0fcd0ed1700cd671342978b","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
erlang version 1:24.0.5-1
## Additional Context
I looked at the code of JWT parsing at:
couch_httpd_auth.erl
jwt_authentication_handler(Req) ->
case header_value(Req, "Authorization") of
"Bearer " ++ Jwt ->
RequiredClaims = get_configured_claims(),
case jwtf:decode(?l2b(Jwt), [alg | RequiredClaims], fun jwtf_keystore:get/2) of
{ok, {Claims}} ->
case lists:keyfind(<<"sub">>, 1, Claims) of
false ->
throw({unauthorized, <<"Token missing sub claim.">>});
{_, User} ->
Req#httpd{
user_ctx = #user_ctx{
name = User,
roles = couch_util:get_value(
?l2b(
config:get(
"jwt_auth", "roles_claim_name", "_couchdb.roles"
)
),
Claims,
[]
)
}
}
end;
{error, Reason} ->
throw(Reason)
end;
_ ->
Req
end.
The only reason for it not to work, I can think of, is failing to parse my JWT correctly. The structure of JWT I'm using is somewhat more complicated than the structure you used for testing (just my assumption). I'm not familiar with erlang but if you could provide me some code I could insert for debugging purposes into the function jwt_authentication_handler it would help us to resolve the issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] loylick commented on issue #3758: JWT auth doesn't pick up roles
Posted by GitBox <gi...@apache.org>.
loylick commented on issue #3758:
URL: https://github.com/apache/couchdb/issues/3758#issuecomment-959092581
Hi, the response to /_node/_local/_config/jwt_auth/roles_claim_name is {"error":"not_found","reason":"unknown_config_value"}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] loylick edited a comment on issue #3758: JWT auth doesn't pick up roles
Posted by GitBox <gi...@apache.org>.
loylick edited a comment on issue #3758:
URL: https://github.com/apache/couchdb/issues/3758#issuecomment-959092581
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] loylick edited a comment on issue #3758: JWT auth doesn't pick up roles
Posted by GitBox <gi...@apache.org>.
loylick edited a comment on issue #3758:
URL: https://github.com/apache/couchdb/issues/3758#issuecomment-959092581
Hi, the response to /_node/_local/_config/jwt_auth/roles_claim_name is "_couchdb.roles". I've tried what you did. I called the claim "couchdbroles" without nesting the array. In such configuration it worked. So if I call the claim "_couchdb.roles" the roles are not passed. If I call the claim as you did, everything works fine.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on issue #3758: JWT auth doesn't pick up roles
Posted by GitBox <gi...@apache.org>.
rnewson commented on issue #3758:
URL: https://github.com/apache/couchdb/issues/3758#issuecomment-954837792
I used jtw.io to create a JWT token signed with my key but with your verbatim (decoded) JWT body and get;
```
{"ok":true,"userCtx":{"name":"b5efed67-731c-408f-8c22-e182309cf3eb","roles":["developper"]},"info":{"authentication_handlers":["jwt","cookie","default"],"authenticated":"jwt"}}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] rnewson commented on issue #3758: JWT auth doesn't pick up roles
Posted by GitBox <gi...@apache.org>.
rnewson commented on issue #3758:
URL: https://github.com/apache/couchdb/issues/3758#issuecomment-954834702
Hi,
I've just tried this locally and it worked for me. Can you verify you set the config correctly by querying `/_node/_local/_config/jwt_auth/roles_claim_name` and confirm it returns `"couchdbroles"`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] loylick commented on issue #3758: JWT auth doesn't pick up roles
Posted by GitBox <gi...@apache.org>.
loylick commented on issue #3758:
URL: https://github.com/apache/couchdb/issues/3758#issuecomment-959092581
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] loylick commented on issue #3758: JWT auth doesn't pick up roles
Posted by GitBox <gi...@apache.org>.
loylick commented on issue #3758:
URL: https://github.com/apache/couchdb/issues/3758#issuecomment-959092581
Hi, the response to /_node/_local/_config/jwt_auth/roles_claim_name is {"error":"not_found","reason":"unknown_config_value"}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] loylick edited a comment on issue #3758: JWT auth doesn't pick up roles
Posted by GitBox <gi...@apache.org>.
loylick edited a comment on issue #3758:
URL: https://github.com/apache/couchdb/issues/3758#issuecomment-959092581
Hi, the response to /_node/_local/_config/jwt_auth/roles_claim_name is "_couchdb.roles". I've tried what you did. I called the claim "couchdbroles" without nesting the array. In such configuration it worked. So if I call the claim "_couchdb.roles" the roles are not passed. If I call the claim as you did, everything works fine.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org