JWT Plugin does not extract roles correctly

[Terry Quigley]

The tokens we receive from an upstream service contain roles as a list. 

The extractRoles method of https://github.com/floragunncom/search-guard-authbackend-jwt/blame/master/src/main/java/com/floragunn/dlic/auth/http/jwt/HTTPJwtAuthenticator.java converts using:

return String.valueOf(rolesObject).split(",");

This means that the square brackets form part of the first and last items form part of their role name. So we have :

"testadms", "openid", "group2]", "[testusrs"

Instead of:

"testadms", "openid", "group2", "testusrs"

This obviously means that members of our "testusrs" group cannot see what they should.

[Jochen Kressin]

Agreed, we should make the handling of roles more flexible and also accept a roles array for example.

Can you please open a ticket / feature request on the JWT GitHub repo?

https://github.com/floragunncom/search-guard-authbackend-jwt/issues

Thanks!

[Terry Quigley]

Sure. I've raised it here https://github.com/floragunncom/search-guard-authbackend-jwt/issues/5 

Thanks

[SG]

can you pls check if this version solves your issues:
https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/dlic-search-guard-auth-http-jwt/5.0-6-SNAPSHOT/dlic-search-guard-auth-http-jwt-5.0-6-20170815.200546-1-jar-with-dependencies.jar

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e2d6ff21-090c-476c-ab40-570cc2c7b000%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Terry Quigley]

Yes. This works.

Thanks for the quick response.