Question on irods http api user mapping execution flow

8 views

Skip to first unread message

Bruno Santos

unread,

Jun 8, 2026, 10:31:31 AM (yesterday) Jun 8

to iRODS-Chat

Hi there,

I'm doing some tests with the irods-http-api and I found something I would like to clarify.

I have a setup with introspection, where the http-api is not able to map the irods username.

My understanding of the general flow ():

The irods-http-api receives the request with the token (the token has the claims, including the custom claim "uid" to map the user)
The irods-http-api calls the introspection endpoint to validate the token.
- Introspectoin endpoint returns "active":true
The irods-http-api parses the introspection response and tries to find the "irods_user_claim": "uid"
- This fails, because, the claim exists only in the original token and not in the introspection response.

The oidc provider could add extra fields to the response, but I'm not sure on how standard is this (they are not required by the RFC), and I have no control over it...

I potentially could use the file mapping plugin to map the user using the mandatory field in the introspection response (sub), but that is extra complexity to build and maintain.

Btw, I tried with local_validation and it works for another provider, but from this specific provider, I get a jwt without the typ element.

This results into: validate_using_local_validation: invalid JWT, missing [typ].

My questions are:

In the introspection case: shouldn't the irods-http-api use the original token to map the user?
In the local_validation: isn't the irods-http-api too picky?

Extra details on the introspection setup:

irods http api config.json:
(...)
"openid_connect": {
"timeout_in_seconds": 3600,
"provider_url": "https://auth.place.bb",
"client_id": "<client_id>",
"client_secret": "<client_secret>",
"access_token_validation_method": "introspection",
"require_aud_member_from_introspection_endpoint": false,
"state_timeout_in_seconds": 600,
"user_mapping": {
"plugin_path": "/usr/lib/irods_http_api/plugins/user_mapping/libirods_http_api_plugin-user_claim.so",
"configuration": {
"irods_user_claim": "uid"
}
}
}
(...)

Token decoded payload (partial):
{
"scope": "openid profile email uid",
"aud": [
"<client_id>"
],
"jti": "<value>",
"client_id": "<client_id>",
"sub": "2ca2570889e12e64f7f8...@auth.place.bb",
"name": "Name1 The FamilyName",
"given_name": "Name1",
"family_name": "The FamilyName",
"email": "em...@aaa.bb",
"uid": [
"username37"
],
"sid": "<value>",
"token_class": "access_token",
"iss": "https://auth.place.bb",
"iat": 1780918086,
"exp": 1780921686
}

Logs:

[2026-06-08 11:28:09.866] [P:1] [debug] [T:14] resolve_client_identity: Bearer token: [<ommited>]
[2026-06-08 11:28:09.866] [P:1] [debug] [T:14] get_port_from_url: Detected HTTPS scheme, using port 443.
[2026-06-08 11:28:09.961] [P:1] [debug] [T:14] get_port_from_url: Detected HTTPS scheme, using port 443.
[2026-06-08 11:28:10.048] [P:1] [debug] [T:14] hit_introspection_endpoint: Received the following response: [{"active": true, "scope": "openid profile email uid", "client_id": "<client_id>", "exp": 1780921686, "iat": 1780918086, "sub": "2ca2570889e12e64f7f8...@auth.place.bb", "iss": "https://auth.place.bb", "token_type": "Bearer", "aud": ["<client_id>"]}]
[2026-06-08 11:28:10.049] [P:1] [trace] [T:14] validate_using_introspection_endpoint: Attempting [aud] validation.
[2026-06-08 11:28:10.049] [P:1] [trace] [T:14] validate_using_introspection_endpoint: Attempting [iss] validation.
[2026-06-08 11:28:10.049] [P:1] [debug] [T:14] user_mapper_match: Attempting match of _param [{"active":true,"aud":["<client_id>"],"client_id":"<client_id>","exp":1780921686,"iat":1780918086,"iss":"https://auth.place.bb","scope":"openid profile email uid","sub":"2ca2570889e12e64f7f8...@auth.place.bb","token_type":"Bearer"}].
[2026-06-08 11:28:10.049] [P:1] [warning] [T:14] resolve_client_identity: Could not find a matching user.

Regards,

Bruno

Reply all

Reply to author

Forward

0 new messages