New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom OIDC groups claim along with allowed groups query parameter always returns 403 #1730
Comments
Ok, I found the issue. This function is where it goes wrong:
In my case the claim was To workaround the issue I have changed the claim to remove the Not sure what to do about this one as I feel claims should be able to include a url as a namespace. Any reason we split the string using the dot? |
may be related #1686 I will have to check to see if this functionality was recently added. |
It's meant to be a basic implementation of JSON paths. I'd be happy to add support for escaping the period in the same way you can with JSON path (or better using some library for this) to allow this use case, but then users would need to be aware its JSON path and escape properly |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
not stale @JoelSpeed is there already any implementation of fixing the "basic json path" misbehaviour when using claims with dots? just came across this issue while debugging here: also it seems like this "feature" is not documented... |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
I don't think there's any fix yet no
That's because it's not really complete or tested yet, the internal code is intended to support the various providers in a generic way, I hadn't really intended for it to be exposed to end users until later down the line I scanned through the link but can't see what we are violating, can you be more explicit with what you mean with that statement? |
Hi @JoelSpeed E.g.
With the current code you will never get the abc group because the code splits at every dot. |
Yeah that's a fair point, I'd consider that a bug that we can fix hopefully, are you aware of any fixes that you could suggest or any libraries that aren't violating the namespacing rules? |
maybe the lib i used in my PR could do the trick: github.com/ohler55/ojg/jp another solution could be to make a flag to enable or disable jsonpath parsing.. i guess this would be the easiest solution right now... another approach could be the PR i have provided which is going to detect if the passed value is valid json path or not |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
Not stale |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
not stale -.- |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
not stale |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
not stale |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
I am using Auth0 as the OIDC provider. They only allow custom claims that are name-spaced. Therefore I can't use the default "groups" as the oidc_groups_claim. I override this in the configuration with a custom claim string (see below under steps to reproduce)
I get a successful 202 response from oauth proxy when there is no
allowed_groups
query parameter (see ngnix config below)As soon as I add an allowed_groups query parameter with a single group to verify I get a forbidden 403 error
This response is incorrect as the user logged in is part of the group specified by the custom claim (see token below)
I have looked through the code and I believe oauthproxy.go
checkAllowedGroups
is returning false due to the session State not containing the groupExpected Behavior
The method
checkAllowedGroups
should return true if the ID Token contains a custom group claim matching the query parameter. This would then mean oauth proxy returns 202 and lets the request throughCurrent Behavior
Either the session state does not contain the groups based on the
oidc_groups_claim
OR it is not correctly matching from the query parameterPossible Solution
The code seems pretty well unit tested so I'm struggling to see where this could be going wrong. Perhaps a test around the
extractAllowedEntities
functionThe
CreateSessionFromToken
function seems to be well unit tested. However, I can't find a test that verifies token parsing with a custom groups claim actually populates the session state Group correctly.I am sure this is a small fix. I imagine it to only be a small code change. Any assistance pointing me in the right direction would be great.
Steps to Reproduce (for bugs)
Legacy configuration
...
Nginx configuration
JWT ID Token
User Info Endpoint
Steps to reproduce
Context
I am trying to secure various upstream websites.
Your Environment
Tested with a docker compose setup. Used Ubuntu for both containers running nginx and oauth proxy. Ran from an M1 Mac
Latest v7.3.0.linux-amd64 version, prebuilt binary downloaded from release
The text was updated successfully, but these errors were encountered: