LDAP Connector - roles not sent in JWT if assigned by group using api/login

sw34 commented 3 years ago

LDAP Connector - roles not sent in JWT if assigned by group using api/login

Description

I am testing the LDAP connector, the lambda is adding the registrations and group assignments as I would expect, however when a user logs in using the POST api/login the roles for that group are not added to the JWT

Affects versions

1.27.2

Steps to reproduce

Steps to reproduce the behavior: Step 1: use lambda to add group memberships and registrations:

function reconcile(user, userAttributes) {
  user.email = userAttributes.userPrincipalName;
  user.firstName = userAttributes.givenName;
  user.lastName  = userAttributes.sn;
  user.active    = true;
  user.verified = true;

  user.username = userAttributes.sAMAccountName;

  var sfc = {};
  sfc.applicationId = "ba9969d4-8480-44f9-8be6-2ff7830074f7";
  sfc.username = userAttributes.sAMAccountName;
  sfc.verified = true;

  var superUser = {};
  superUser.groupId = "e2cb1e4d-c563-46a0-bb87-115ef4034672";

  user.registrations = [sfc];
  user.memberships = [superUser];

  user.id = guidToString(userAttributes['objectGUID;binary']);
}

Step 2: Verify user

{
  "active" : true,
  "connectorId" : "63000e34-6fb3-48e2-b20a-f145e32947d9",
  "email" : "test@example.com",
  "encryptionScheme" : "salted-pbkdf2-hmac-sha256",
  "firstName" : "test",
  "id" : "69b02ce1-7b5e-4990-b542-e435d2cbd38e",
  "insertInstant" : 1620851299481,
  "lastLoginInstant" : 1620913197008,
  "lastName" : "test",
  "lastUpdateInstant" : 1620913196991,
  "memberships" : [ {
    "groupId" : "e2cb1e4d-c563-46a0-bb87-115ef4034672",
    "id" : "a8e5ac27-7288-4241-a9bd-a8f8f382d1bd",
    "insertInstant" : 1620913197004
  } ],
  "passwordChangeRequired" : false,
  "passwordLastUpdateInstant" : 1620913196986,
  "registrations" : [ {
    "applicationId" : "ba9969d4-8480-44f9-8be6-2ff7830074f7",
    "id" : "c2631564-6cb7-40f5-85dd-34883543a609",
    "insertInstant" : 1620913197000,
    "lastLoginInstant" : 1620913197008,
    "lastUpdateInstant" : 1620913197000,
    "roles" : [ "Admin", "Supervisor" ],
    "username" : "test",
    "usernameStatus" : "ACTIVE",
    "verified" : true
  } ],
  "tenantId" : "05880359-1caf-0ee6-96a4-e2d033371190",
  "twoFactor" : { },
  "uniqueUsername" : "test",
  "username" : "test",
  "usernameStatus" : "ACTIVE",
  "verified" : true
}

Step 3: User logs in via POST api/login

Results: User Logon JWT does NOT contain the roles:

{
  "aud": "ba9969d4-8480-44f9-8be6-2ff7830074f7",
  "exp": 1620920397,
  "iat": 1620913197,
  "iss": "example.com",
  "sub": "69b02ce1-7b5e-4990-b542-e435d2cbd38e",
  "jti": "6ced51f4-98b2-401c-adc2-5c60fea8abc7",
  "authenticationType": "LDAP_CONNECTOR",
  "email": "test@example.com",
  "email_verified": true,
  "preferred_username": "test",
  "applicationId": "ba9969d4-8480-44f9-8be6-2ff7830074f7",
  "roles": []
}

Step 4: Change Lambda to use roles instead of groups

function reconcile(user, userAttributes) {
  user.email = userAttributes.userPrincipalName;
  user.firstName = userAttributes.givenName;
  user.lastName  = userAttributes.sn;
  user.active    = true;
  user.verified = true;

  user.username = userAttributes.sAMAccountName;

  var sfc = {};
  sfc.applicationId = "ba9969d4-8480-44f9-8be6-2ff7830074f7";
  sfc.username = userAttributes.sAMAccountName;
  sfc.verified = true;

  var superUser = {};
  superUser.groupId = "e2cb1e4d-c563-46a0-bb87-115ef4034672";

  sfc.roles = ["Admin", "Supervisor"];
  user.registrations = [sfc];

  user.id = guidToString(userAttributes['objectGUID;binary']);
}

Step 5: Verify User

{
  "active" : true,
  "connectorId" : "63000e34-6fb3-48e2-b20a-f145e32947d9",
  "email" : "test@example.com",
  "encryptionScheme" : "salted-pbkdf2-hmac-sha256",
  "firstName" : "test",
  "id" : "69b02ce1-7b5e-4990-b542-e435d2cbd38e",
  "insertInstant" : 1620851299481,
  "lastLoginInstant" : 1620913355274,
  "lastName" : "test",
  "lastUpdateInstant" : 1620913355228,
  "memberships" : [ {
    "groupId" : "e2cb1e4d-c563-46a0-bb87-115ef4034672",
    "id" : "a8e5ac27-7288-4241-a9bd-a8f8f382d1bd",
    "insertInstant" : 1620913355270
  } ],
  "passwordChangeRequired" : false,
  "passwordLastUpdateInstant" : 1620913355225,
  "registrations" : [ {
    "applicationId" : "ba9969d4-8480-44f9-8be6-2ff7830074f7",
    "id" : "be533104-cbe5-4c4e-9e54-b23d6bd5a964",
    "insertInstant" : 1620913355266,
    "lastLoginInstant" : 1620913355274,
    "lastUpdateInstant" : 1620913355266,
    "roles" : [ "Admin", "Supervisor" ],
    "username" : "test",
    "usernameStatus" : "ACTIVE",
    "verified" : true
  } ],
  "tenantId" : "05880359-1caf-0ee6-96a4-e2d033371190",
  "twoFactor" : { },
  "uniqueUsername" : "test",
  "username" : "test",
  "usernameStatus" : "ACTIVE",
  "verified" : true
}

Step 6: User logs in via POST api/login

Results: User Logon JWT does contain the roles:

{
  "aud": "ba9969d4-8480-44f9-8be6-2ff7830074f7",
  "exp": 1620920555,
  "iat": 1620913355,
  "iss": "example.com",
  "sub": "69b02ce1-7b5e-4990-b542-e435d2cbd38e",
  "jti": "fbf70cb2-0053-49c7-bda2-b1af150ef88a",
  "authenticationType": "LDAP_CONNECTOR",
  "email": "test@example.com",
  "email_verified": true,
  "preferred_username": "test",
  "applicationId": "ba9969d4-8480-44f9-8be6-2ff7830074f7",
  "roles": [
    "Admin",
    "Supervisor"
  ]
}

Expected behavior

I would expect the group assigned roles would be transferred to the JWT

Platform

(Please complete the following information)

Device: Desktop
OS: Windows 10
Browser + version: Chrome
Database: PostgresSQL 13

{
    "group": {
        "id": "e2cb1e4d-c563-46a0-bb87-115ef4034672",
        "insertInstant": 1603984383820,
        "lastUpdateInstant": 1620851818789,
        "name": "Super User",
        "roles": {
            "ba9969d4-8480-44f9-8be6-2ff7830074f7": [
                {
                    "id": "4ee2e0f5-7534-46c2-be0b-3372eb35e234",
                    "isDefault": false,
                    "isSuperRole": false,
                    "name": "Admin"
                },
                {
                    "id": "468c3b81-98f1-488c-8c53-4634c5f26c0a",
                    "isDefault": true,
                    "isSuperRole": false,
                    "name": "Supervisor"
                }
            ],
            "4ecdb067-0fc8-4d15-91b6-c2a4f6b1d070": [
                {
                    "id": "88295c41-2e77-46b0-a10d-def034a79504",
                    "isDefault": false,
                    "isSuperRole": false,
                    "name": "Env-ToolingAdmin"
                },
                {
                    "id": "09d851df-cd45-48cd-a385-4369a1b33c2b",
                    "isDefault": false,
                    "isSuperRole": false,
                    "name": "Env-ToolKitUser"
                },
                {
                    "id": "888544e9-ee41-4bad-8d19-0ac2b637aeaa",
                    "isDefault": false,
                    "isSuperRole": false,
                    "name": "PrePress-Admin"
                },
                {
                    "id": "a26d731d-da75-4b1b-bbfd-6fc8860f04ad",
                    "isDefault": false,
                    "isSuperRole": false,
                    "name": "Sales-Admin"
                },
                {
                    "id": "08833128-0a61-45cb-bd47-f145af73b081",
                    "isDefault": false,
                    "isSuperRole": false,
                    "name": "Purchasing-Admin"
                },
                {
                    "id": "bda009d7-e6b9-418c-a40f-b48d705db4a5",
                    "isDefault": false,
                    "isSuperRole": false,
                    "name": "Purchasing-User"
                }
            ]
        },
        "tenantId": "05880359-1caf-0ee6-96a4-e2d033371190"
    }
}

mooreds commented 3 years ago

@jobannon this looks like it might be a bug. We should try to replicate.

FusionAuth / fusionauth-issues