Groups
Sign in
Groups
Search Guard Community Forum
Conversations
About
Send feedback
Help
JWT Plugin does not extract roles correctly
17 views
Skip to first unread message
Terry Quigley
unread,
Aug 14, 2017, 10:20:04 AM
8/14/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Search Guard Community Forum
The tokens we receive from an upstream service contain roles as a list.
The extractRoles method of
https://github.com/floragunncom/search-guard-authbackend-jwt/blame/master/src/main/java/com/floragunn/dlic/auth/http/jwt/HTTPJwtAuthenticator.java
converts using:
return
String
.
valueOf(rolesObject)
.
split(
"
,
"
);
This means that the square brackets form part of the first and last items form part of their role name. So we have :
"testadms", "openid",
"group2]
", "
[testusrs"
Instead of:
"testadms", "openid", "group2", "testusrs"
This obviously means that members of our "testusrs" group cannot see what they should.
Jochen Kressin
unread,
Aug 14, 2017, 10:23:02 AM
8/14/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Search Guard Community Forum
Agreed, we should make the handling of roles more flexible and also accept a roles array for example.
Can you please open a ticket / feature request on the JWT GitHub repo?
https://github.com/floragunncom/search-guard-authbackend-jwt/issues
Thanks!
Terry Quigley
unread,
Aug 14, 2017, 10:58:23 AM
8/14/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Search Guard Community Forum
Sure. I've raised it here
https://github.com/floragunncom/search-guard-authbackend-jwt/issues/5
Thanks
SG
unread,
Aug 15, 2017, 4:06:45 PM
8/15/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to search...@googlegroups.com
can you pls check if this version solves your issues:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-auth-http-jwt/5.0-6-SNAPSHOT/dlic-search-guard-auth-http-jwt-5.0-6-20170815.200546-1-jar-with-dependencies.jar
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
search-guard...@googlegroups.com
.
> To post to this group, send email to
search...@googlegroups.com
.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/search-guard/e2d6ff21-090c-476c-ab40-570cc2c7b000%40googlegroups.com
.
> For more options, visit
https://groups.google.com/d/optout
.
Terry Quigley
unread,
Aug 16, 2017, 4:39:37 AM
8/16/17
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Search Guard Community Forum
Yes. This works.
Thanks for the quick response.
Reply all
Reply to author
Forward
0 new messages