JWT Plugin does not extract roles correctly

The tokens we receive from an upstream service contain roles as a list.

The extractRoles method of https://github.com/floragunncom/search-guard-authbackend-jwt/blame/master/src/main/java/com/floragunn/dlic/auth/http/jwt/HTTPJwtAuthenticator.java converts using:
return String.valueOf(rolesObject).split(",");

This means that the square brackets form part of the first and last items form part of their role name. So we have :

“testadms”, “openid”, "group2]", "[testusrs"

Instead of:

“testadms”, “openid”, “group2”, “testusrs”

This obviously means that members of our “testusrs” group cannot see what they should.

Agreed, we should make the handling of roles more flexible and also accept a roles array for example.

Can you please open a ticket / feature request on the JWT GitHub repo?

Thanks!

···

On Monday, August 14, 2017 at 4:20:04 PM UTC+2, Terry Quigley wrote:

The tokens we receive from an upstream service contain roles as a list.

The extractRoles method of https://github.com/floragunncom/search-guard-authbackend-jwt/blame/master/src/main/java/com/floragunn/dlic/auth/http/jwt/HTTPJwtAuthenticator.java converts using:
return String.valueOf(rolesObject).split(",");

This means that the square brackets form part of the first and last items form part of their role name. So we have :

“testadms”, “openid”, "group2]", "[testusrs"

Instead of:

“testadms”, “openid”, “group2”, “testusrs”

This obviously means that members of our “testusrs” group cannot see what they should.

Sure. I’ve raised it here https://github.com/floragunncom/search-guard-authbackend-jwt/issues/5

Thanks

···

On Monday, August 14, 2017 at 3:23:02 PM UTC+1, Jochen Kressin wrote:

Agreed, we should make the handling of roles more flexible and also accept a roles array for example.

Can you please open a ticket / feature request on the JWT GitHub repo?

https://github.com/floragunncom/search-guard-authbackend-jwt/issues

Thanks!

On Monday, August 14, 2017 at 4:20:04 PM UTC+2, Terry Quigley wrote:

The tokens we receive from an upstream service contain roles as a list.

The extractRoles method of https://github.com/floragunncom/search-guard-authbackend-jwt/blame/master/src/main/java/com/floragunn/dlic/auth/http/jwt/HTTPJwtAuthenticator.java converts using:
return String.valueOf(rolesObject).split(",");

This means that the square brackets form part of the first and last items form part of their role name. So we have :

“testadms”, “openid”, "group2]", "[testusrs"

Instead of:

“testadms”, “openid”, “group2”, “testusrs”

This obviously means that members of our “testusrs” group cannot see what they should.

can you pls check if this version solves your issues:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-auth-http-jwt/5.0-6-SNAPSHOT/dlic-search-guard-auth-http-jwt-5.0-6-20170815.200546-1-jar-with-dependencies.jar

···

Am 14.08.2017 um 16:58 schrieb Terry Quigley <topquigley@gmail.com>:

Sure. I've raised it here https://github.com/floragunncom/search-guard-authbackend-jwt/issues/5

Thanks

On Monday, August 14, 2017 at 3:23:02 PM UTC+1, Jochen Kressin wrote:
Agreed, we should make the handling of roles more flexible and also accept a roles array for example.

Can you please open a ticket / feature request on the JWT GitHub repo?

https://github.com/floragunncom/search-guard-authbackend-jwt/issues

Thanks!

On Monday, August 14, 2017 at 4:20:04 PM UTC+2, Terry Quigley wrote:
The tokens we receive from an upstream service contain roles as a list.

The extractRoles method of https://github.com/floragunncom/search-guard-authbackend-jwt/blame/master/src/main/java/com/floragunn/dlic/auth/http/jwt/HTTPJwtAuthenticator.java converts using:
return String.valueOf(rolesObject).split(",");

This means that the square brackets form part of the first and last items form part of their role name. So we have :

"testadms", "openid", "group2]", "[testusrs"

Instead of:

"testadms", "openid", "group2", "testusrs"

This obviously means that members of our "testusrs" group cannot see what they should.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e2d6ff21-090c-476c-ab40-570cc2c7b000%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Yes. This works.

Thanks for the quick response.

···

On Tuesday, August 15, 2017 at 9:06:45 PM UTC+1, Search Guard wrote:

can you pls check if this version solves your issues:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-auth-http-jwt/5.0-6-SNAPSHOT/dlic-search-guard-auth-http-jwt-5.0-6-20170815.200546-1-jar-with-dependencies.jar

Am 14.08.2017 um 16:58 schrieb Terry Quigley topqu...@gmail.com:

Sure. I’ve raised it here https://github.com/floragunncom/search-guard-authbackend-jwt/issues/5

Thanks

On Monday, August 14, 2017 at 3:23:02 PM UTC+1, Jochen Kressin wrote:

Agreed, we should make the handling of roles more flexible and also accept a roles array for example.

Can you please open a ticket / feature request on the JWT GitHub repo?

https://github.com/floragunncom/search-guard-authbackend-jwt/issues

Thanks!

On Monday, August 14, 2017 at 4:20:04 PM UTC+2, Terry Quigley wrote:

The tokens we receive from an upstream service contain roles as a list.

The extractRoles method of https://github.com/floragunncom/search-guard-authbackend-jwt/blame/master/src/main/java/com/floragunn/dlic/auth/http/jwt/HTTPJwtAuthenticator.java converts using:

return String.valueOf(rolesObject).split(",");

This means that the square brackets form part of the first and last items form part of their role name. So we have :

“testadms”, “openid”, “group2]”, “[testusrs”

Instead of:

“testadms”, “openid”, “group2”, “testusrs”

This obviously means that members of our “testusrs” group cannot see what they should.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e2d6ff21-090c-476c-ab40-570cc2c7b000%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.