[GitHub] [couchdb] loylick opened a new issue #3758: JWT auth doesn't pick up roles

[GitBox]

loylick opened a new issue #3758:
URL: https://github.com/apache/couchdb/issues/3758


   ## Description
   Hi! I've encounted an issue when using JWT authentication in couchdb. I had 
to compile Couchdb from sources to make JWT authentication work. I use the 
branch 3.x. First I tried to pass roles to couchdb through the custom claim 
_couchdb.roles. When I failed I looked at recent issues resolved and found that 
there was a new configuration field "roles_claim_name" in [jwt_auth] section. 
So, I added a line  roles_claim_name = couchdbroles into [jwt_auth] section of 
local.ini file. The authentication succeeds, the username is passed correctly 
from the "sub" claim, but the roles are not passed from JWT token. 
   
   ## Steps to Reproduce
   I used such request to get authenticated:
   curl -L -X GET 'http://127.0.0.1:5984/_session' \
   -H 'Content-Type: application/json; charset=utf-8' \
   -H 'Authorization: Bearer 
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZN2lDWWlJSnZyMUdLV0d4bG9jVS1GSWhISVVLTHRXRFQ4RjFRczN3MWxVIn0.eyJleHAiOjE2MzIwNDQ5NTksImlhdCI6MTYzMjA0NDY1OSwianRpIjoiYmVmMzNhN2EtNjczMi00N2YwLTg3YmYtM2RmMDJmYWY0Yzk5IiwiaXNzIjoiaHR0cDovLzE1OC42OS4yNDguNjo4MTgwL2F1dGgvcmVhbG1zL3F1aW1hbmFnZSIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJiNWVmZWQ2Ny03MzFjLTQwOGYtOGMyMi1lMTgyMzA5Y2YzZWIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJrZXltYW5hZ2UtYXBwIiwic2Vzc2lvbl9zdGF0ZSI6IjRjMGQ3YzIwLWFiZmUtNDI1OS05NmM4LTE2MDdkYzIxOWFhNSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJkZWZhdWx0LXJvbGVzLXF1aW1hbmFnZSIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsia2V5bWFuYWdlLWFwcCI6eyJyb2xlcyI6WyJkZXZlbG9wcGVyIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiNGMwZDdjMjAtYWJmZS00MjU5LTk2YzgtMTYwN2RjMjE5YWE1IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJjb3VjaGRicm9sZXMiOlsiZ
 
GV2ZWxvcHBlciJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciJ9.csbf8SX0dqD8FjU9iwSWxfVxBMF3eEcS7GRDzJ2tvw1IipFAInb4a-abNFEB6rErcRYiONlAbGTLGBjqT2Z0TGabGXBxXCB3A4F5q243DIY9WUBAO9_xiFQpeQCgLUYhdY5ensU5tYipcXn5-kLxruwhqDqpEFnpYQsulmIYE3MV3xmcazsBTGBDPILOoZK5FGYKlN3IvULi4cEpU_PZQqE-NNDwG1mkzla-mbH-hFv8t9lnIs94M9j7sUehtBP8Lhx76WJZPJJ0BwUkqHrP6mICZq0z6fzC057TyqqzwoCbNFSlbDcLLNVEt4zIF4WCkq-O8t3b1xLXN1j7RGvowA'
   
   the response I got:
   
{"ok":true,"userCtx":{"name":"b5efed67-731c-408f-8c22-e182309cf3eb","roles":[]},"info":{"authentication_handlers":["jwt","cookie","default"],"authenticated":"jwt"}}
   
   ## Expected Behaviour
   I expect that the custon claim "couchdbroles: ["developer"] would be passed 
to couchdb and the response of couchdb should be:
   
{"ok":true,"userCtx":{"name":"b5efed67-731c-408f-8c22-e182309cf3eb","roles":["developer"]},"info":{"authentication_handlers":["jwt","cookie","default"],"authenticated":"jwt"}}
   
   ## Your Environment
   my OS is: Linux  4.15.0-142-generic #146-Ubuntu SMP Tue Apr 13 01:11:19 UTC 
2021 x86_64 x86_64 x86_64 GNU/Linux
    curl http://127.0.0.1:5984
   
{"couchdb":"Welcome","version":"3.1.1-2871128","git_sha":"2871128","uuid":"45b6dd1db0fcd0ed1700cd671342978b","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The
 Apache Software Foundation"}}
   erlang version 1:24.0.5-1 
   
   ## Additional Context
   I looked at the code of JWT parsing at:
   couch_httpd_auth.erl
   jwt_authentication_handler(Req) ->
       case header_value(Req, "Authorization") of
           "Bearer " ++ Jwt ->
               RequiredClaims = get_configured_claims(),
               case jwtf:decode(?l2b(Jwt), [alg | RequiredClaims], fun 
jwtf_keystore:get/2) of
                   {ok, {Claims}} ->
                       case lists:keyfind(<<"sub">>, 1, Claims) of
                           false ->
                               throw({unauthorized, <<"Token missing sub 
claim.">>});
                           {_, User} ->
                               Req#httpd{
                                   user_ctx = #user_ctx{
                                       name = User,
                                       roles = couch_util:get_value(
                                           ?l2b(
                                               config:get(
                                                   "jwt_auth", 
"roles_claim_name", "_couchdb.roles"
                                               )
                                           ),
                                           Claims,
                                           []
                                       )
                                   }
                               }
                       end;
                   {error, Reason} ->
                       throw(Reason)
               end;
           _ ->
               Req
       end.
   The only reason for it not to work, I can think of, is failing to parse my 
JWT correctly. The structure of JWT I'm using is somewhat more complicated than 
the structure you used for testing (just my assumption). I'm not familiar with 
erlang but if you could provide me some code I could insert for debugging 
purposes into the function jwt_authentication_handler it would help us to 
resolve the issue.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org