New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
badarg jwt_auth required_claims with param #3232
Comments
I can confirm and reproduce the error on 3.1.1. with a present iss claim configured with the JWT issuer
{
"error": "unknown_error",
"reason": "badarg",
"ref": 2423103563
} |
I've discovered this issue it's already fixed with this #3165 which it's already merged on 3.x branch. I've compiled from source and I can confirm the JWT authentication with ISS required claim it's working as expected. So in the next release, it will be completely usable. For the moment if you need a CouchDB version with JWT auth and iss required claim, I'd suggest to compile from 3.x source branch. |
+1 This is causing me issue, spent ages setting it all up, auth_handlers, converting DER to PEM, setting iss claim, now this :-( Any idea when the next patch (e.g. 3.1.2) release will be? Thanks Neil |
For anyone else with this issue, if it helps I've cherry picked #3165 into 3.1.1 and created a new fork here: https://github.com/RGS-IT-Development/couchdb/tree/3.1.1.1 I've also built a docker image here: https://github.com/orgs/RGS-IT-Development/packages/container/package/couchdb I can confirm this works for my environment. |
FYI 3.2 is being prepared right now and should release in June 2021. |
Also this PR apache/couchdb-config#32 should be taken into account in order to allow kid fields with equal signs. |
@mtenrero good find, our JWT issuer rotates it's keys so we don't load them in the .ini file we dynamically push them to the couchdb config URL (https://docs.couchdb.org/en/latest/api/server/configuration.html), so not sure this is an issue for us?, but maybe for others, thanks! |
Description
I receive an
unknown_error : badarg
fromerlang:list_to_existing_atom/1
when I try to authenticate using a JWT token and[jwt_auth] required_claims
includes a tuple with param, likeexp, iss {"yourissuername"}
(from the example).Steps to Reproduce
[chttpd] authentication_handlers = {chttpd_auth, jwt_authentication_handler}
example
[jwt_auth] required_claims = exp, {iss, "IssuerNameHere"}
_session
bearing a JWT token.(doesn't really matter which token, the error happens before actual validation afaict)
Expected Behaviour
To get authenticated (or not, but not an unknown error)
Your Environment
{"couchdb":"Welcome","version":"3.1.1","git_sha":"ce596c65d","uuid":"c4d21e152a90a6cf779e046c9ddb012b","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
Additional Context
It happens somewhere here. (In the main branch, that code looks different, with a regex supporting tuples.)
stack trace
I realise now, after typing everything, that the docs I linked are for main, and tuples in
required_claims
were just not yet merged in 3.1.1. So perhaps this now turns into the question: how then do I provide whichiss
claim I expect?The text was updated successfully, but these errors were encountered: