Krakend 1.1.1 cannot parse roles in large token

[nvlan]

Hello,

Sometimes (depending on the token), krakend seems unable to properly parse a token and the roles end up not working. I am using a short-payload token that has the following content:

{
  "iss": "https://nico-test.us.auth0.com/",
  "sub": "oZ4Qwz7G3ep60tcNblYttUWFl4NqD3tT@clients",
  "aud": "https://el.pulpo.com",
  "iat": 1606424904,
  "exp": 1606511304,
  "azp": "oZ4Qwz7G3ep60tcNblYttUWFl4NqD3tT",
  "gty": "client-credentials",
  "permissions": [
    "foo",
    "bar"
  ]
}

With the following endpoint config:

      "endpoint": "/rests-partners-gateway/rests-partners-accounts/info/",
      "method": "GET",
      "output_encoding": "no-op",
      "extra_config": {
              "github.com/devopsfaith/krakend-jose/validator": {
                  "roles_key": "permissions",
                  "roles": ["bar"],
                  "jwk-url" : "https://nico-test.us.auth0.com/.well-known/jwks.json",
                  "disable_jwk_security": true,
                  "alg" : "RS256"
              }
      },

In this case, kraken is able to check the "permissions" key and verify if the role "bar" is in there. When using a different role in the token, I get a 403 (as expected).

Thing is, with the following token:

{
  "https://partners.foo.com/roles": [
    "krakend"
  ],
  "nickname": "carlos.castro",
  "name": "carlos.castro@foo.com",
  "picture": "https://s.gravatar.com/avatar/077bc3b0517eb18354e0f3ebfb6a0220?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fca.png",
  "updated_at": "2020-11-26T17:56:18.066Z",
  "email": "carlos.castro@foo.com",
  "email_verified": true,
  "iss": "https://partners-foo.auth0.com/",
  "sub": "auth0|5dcc9086defff70f095a1610",
  "aud": "A1YdFI6mIhG0NjozZsjISe1BDx7FdfJR",
  "iat": 1606413378,
  "exp": 1606449378,
  "at_hash": "c5WgSZhJAAqS_uH9pgFMVg",
  "nonce": "PZ~o1BijmVPeFYK-a0xjBeICMfJfm03k"
}

and the following endpoint config:

      "endpoint": "/rests-partners-gateway/rests-partners-accounts/info2/",
      "method": "GET",
      "output_encoding": "no-op",
      "extra_config": {
              "github.com/devopsfaith/krakend-jose/validator": {
                  "roles_key": "https://partners.foo.com/roles",
                  "roles": ["krakend"],
                  "jwk-url" : "https://partners-foo.auth0.com/.well-known/jwks.json",
                  "disable_jwk_security": true,
                  "alg" : "RS256"
              }
      },

I get a 403 every time, as if the token didn't have the role "krakend" in the key "https://partners.foo.com/roles". Besides attempting to change the key for something else/simpler, is there anything in the JWT that would cause this strange behavior?

Thanks a lot, kind regards.

[kpacha]

Thanks for the heads up!!!

The issue was related to the namespace containing .. this char is also used to signal nested keys, so the validator wasn't able to locate the roles claim at the passed token

[github-actions]

This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.