Local validation of JWT access token

[vamshiengineer]

Hi,

1. I would like OAuth module to validate JWT access token locally like JWT signature validation and give access based on a claim 'sub' or 'scope'. I am not seeing anything happening like this in logs or how to do it in configuration.
2. LogLevel is set to debug and i see only logs from oidc module auth_openidc:debug. I do not see any logs from oauth2 module.
3. If i comment the line "OAuth2TokenVerify introspect ...", i am not able to access the protected resource. I think Local validation of JWT should happen.

Configuration: <Location /example/oauth20> AuthType oauth2 Require valid-user

OAuth2TokenVerify introspect https://xyz.com/introspect introspect.ssl_verify=false&introspect.auth=client_secret_post&client_id=clientid&client_secret=xxxxx= OAuth2TokenVerify jwks_uri https://xyz.com/jwks jwks_uri.ssl_verify=false

OAuth2AcceptTokenIn environment name=OIDC_access_token

OAuth2AcceptTokenIn query name=access_token

Your help is highly appreciated.

[vamshiengineer]

Seeing one error in ssl error log. [oauth2:error] [pid 18620:tid 140443699689216] [client xxxx:xxx] _oauth2_jose_jwt_validate_iat: "iat" validation failure (1605173636): JWT was issued more than 60 seconds ago

[zandbelt]

you'll need to add verify.iat=skip to the options for OAuth2TokenVerify

[vamshiengineer]

Thanks for quick reply. I set verify.iat.slack_before=60 and made sure that JWT access token was issued less than a minute ago. Resource access is allowed.

1. Can you help on configuration for giving access based on a claim like sub or scope.

[zandbelt]

depending on the version that you use, use either Require claim sub <value> or Require oauth2_claim sub <value>

[vamshiengineer]

Hi, I am using the version mod_oauth2-3.1.0-1.el7.x86_64.rpm.

Require claim sub user1 => It worked for both users user1 and user2. Require oauth2_claim sub user1 => Apache did not start.

Is there anything missed?

Thanks, Vamshi

[zandbelt]

you're on a version that does not support oauth2_claim (but claim)

[vamshiengineer]

Okay. I tried setting Require claim sub user1 & Require claim sub "user1" It did not work as per the configuration. It allowed JWT access tokens with sub having user1 and user2.

[zandbelt]

that's what it is supposed to do... user3 should not have access then

[vamshiengineer]

I mean, its allowing access to resource with JWT access token having either user1 or user2. It should allow only user1 as per configuration.

[vamshiengineer]

We do not see any debug logs on this module.

[zandbelt]

you'll need to set LogLevel oauth2:debug

[vamshiengineer]

Hi,

1. Restriction of access based on claim value: a. My configuration had both 'Require valid-user' followed by 'Require claim sub '. Looks like first one is taking preference. Updated configuration to have only 'Require claim sub ...'. It started working. b. Suggested configuration format 'Require claim sub ' did not work. 'Require claim sub:' worked. Colon should be used instead of space.

2. LogLevel debug is already set at global level. With this, openidc module is logging debug messages. oauth2 module is NOT. Tried setting LogLevel oauth2:debug also. Debug logs are not written for oauth2 module.

Thanks, Vamshi

[vamshiengineer]

How to set Require claim claim_name:claim_value when claim has multiple values. E.g., Claim scope has multiple valiues like scope : "admin employee"

I want to restrict access for only admins. Require claim scope:admin did NOT work. Can you help with this configuration.

Thanks, Vamshi

[zandbelt]

it is not possible to match on a substring, if scope is returned as a JSON array you can match on an array elelement

[vamshiengineer]

Ok. Thanks for your support.