New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
micronaut-security-jwt: scopes are not converted to list/iterable when remapping the rolesfinder #787
Comments
I don't think this is a bug. However, we could add some flexibility via configuration. Maybe we could add a new configuration property And if in your case you could set it to micronaut:
security:
token:
roles-name: 'scope'
roles-separator: ' ' @frehov what do you think? |
I think that would work. It's probably not a bug per se, as you're only relying on what the nimbuds library is parsing and returning as the I can most likely have a PR for this up within the day if that's of any interest? |
Yes, PRs are welcome. I will review it and get it merged. |
I do have one question though. I believe the best option is going for the consistent feel, and thus doing the separation in |
I think it probably best to have it in the |
Alright, I've submitted the PR with the change on the |
Expected Behavior
When remapping
DefaultRolesFinder
to read roles from the scope attribute withsecurity.token.roles-name=scope
I expect to find multiple roles attached to the authentication object.Actual Behaviour
When remapping
DefaultRolesFinder
to read roles from the scope attribute withsecurity.token.roles-name=scope
I find only one entry in the list of roles.Steps To Reproduce
Running with cognito user pools with jwks validation set up.
Create a resource server in cognito with multiple scopes.
Create an app client and grant access to multiple scopes from the resource server
Set up a basic micronaut app with security and and add
micronaut-security-jwt
to enable jwt-validation.Use
security.token.roles-name=scope
to remap theDefaultRolesFinder
to generate roles from scopes attribute.Secure one endpoint with
@RolesAllowed(<a single scope from the resource server>)
Request a token with multiple scopes with postman following the client_credentials flow.
Hit the secured endpoint with postman and the token requested, and watch the request get a 403 Forbidden as there are no matching roles.
Debugging the
DefaultRolesFinder
it easy to see what happens.The scopes are required to be space separated in the client credentials flow, and as such they're not mapped to an iterable since the attribute is seen as a single string.
But it should be treated as a space separated list, and thus be an iterable.
The following workaround (kotlin) has been used to successfully split the scopes, but it's not the most elegant solution, as we were relying on builtin configuration to resolve these issues.
Environment Information
Example Application
No response
Version
3.0.1
The text was updated successfully, but these errors were encountered: