-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requiring the 'groups' claims is too restrictive #129
Comments
I like this idea. In the properties file we define what the auth mechanism is:
Maybe we could have a second one which is just regular JWT which would support Auth0 & Firebase Auth. |
Thanks... |
+1 ... the |
We introduced a So may be MP JWT can introduce a similar property, |
any updates on this? |
Another possible approach would be to update the spec to include a collision resistant namespace for the new claims introduced (i.e. This would be in alignment with RFC 7519, section 4.2 and should be supported by Auth0, for example. Namespaces are supported currently in Payara as well. |
@MikeEdgar Not sure introducing the namespace would solve this issue though which is really about the implementations being effectively required to reject the tokens without the |
I propose to resolve this issue by updating the spec text to note that
Something along these lines |
However it appears we can't do it for
should be enough. The only problem then is that some implementations may return 401/403 if no groups exists before the RBAC barrier is even reached. thanks |
I see no issues in doing this for 1.2. |
Defining a required property to optional is not a breaking change. All tokens which are valid today are still valid with the change in groups and scope and will result in the same behavior. So it can be included in 1.2 |
Should we also provide a way to retrieve the roles from another claim? With a configuration property? |
A Mapper SPI is more useful in that case, and the default mapper takes it from groups claim. |
@radcortez @rdebusscher OK, if everyone is good with it then I'll relax the text with a couple of tests, thanks |
@andreas-eberle See @rdebusscher's response to Roberto's proposal :-). May be we can do it for 2.0 |
I have just seen a user reporting that the MP-JWT runtime fails to validate Auth0 tokens. I think it is a major barrier to the wider adoption of MP JWT given that many popular OIDC providers will not be able to include the
groups
claim.IMHO the 'group' claim should be treated somehow similarly to the (required)
upn
claim. For example, one option could be for the MP JWT implementation to default to 'Default' groups or some other default value.Rejecting the otherwise perfectly valid tokens used in the productions to secure the services is too restrictive
The text was updated successfully, but these errors were encountered: