search

ServiceStack / Issues

Issue Tracker for the commercial versions of ServiceStack
11 stars 8 forks source link

Bug in the Permissions claim parsing in ServiceStack v6.5.0 and newer #794

Closed gdkita closed 1 year ago

gdkita commented 1 year ago

Describe the issue

After upgrading from ServiceStack 6.0.2 to 6.9.0 our JWT verification stopped working.

Our code uses JwtAuthProviderReader to validate a token generated by another service and the solution we are using works up until version 6.4.0. Once we upgrade to version 6.5.0 we can no longer generate AuthUserSession by using JwtAuthProviderReader.

We have done some debugging and discovered that in version 6.5.0 and up the code responsible for parsing the Permissions claim (same is valid for the Roles claim too) have changed from:

case "perms":
case "Permissions":
    session.Permissions = entry.Value.FromJson<List<string>>();
    break;

to

case "perms":
case "Permissions":
    var jsonPerms = jsonObj != null
        ? jsonObj.GetUnescaped("perms") ?? jsonObj.GetUnescaped("Perms")
        : entry.Value;
    session.Permissions = jsonPerms.FromJson<List<string>>();
    break;

The code is located in class ServiceStack.Auth.UserAuth line 493 in vesion 6.5.0 (the code is quite similar in 6.9.0 as well).

Which causes an error if the claim perms is not present in the token. We have only Permissions claim in our token which results in the method GetUnescaped to throw a KeyNotFound exception when it tries to extract data from perms.

Additionally if the perms claim is not present in the JWT jsonObj.GetUnescaped will not attempt to extract data from the Perms claim, but will silently fail, unless you are running the code with Source Link debugging. (Same is valid for the Rules claim).

The end result is that even if the JWT is correct, the claim parsing error will prevent a user session from being established. As a side effect if the permissions and roles are stored in any other claim than the explicit perms and roles they will not be populated.

Reproduction

Create a valid JWT conaining a claim Permissions and withoud adding a claim perms in it. Setup the AuthFeature plugin:

appHost.Plugins.Add(
    new AuthFeature(() => 
        new AuthUserSession(),
        new IAuthProvider[] {
            new JwtAuthProviderReader {
                // setup an appropriate configuration
            }
        }
    )
);

Once you attempt to access a REST endpoint and verify the user session, that session will not be filled with the correct information from the token and under debug mode you will see KeyNotFound error triggered by the extension method GetUnescaped.

Expected behavior

After the JWT is validated and the claims parsed a correct AuthUserSession should be established containing the correct permissions and roles stored in the Permissions and Roles claims respectively.

System Info

ServiceStack 6.9.0 (error validated against 6.5.0 and persists in 6.9.0)
.NET 6

Additional context

For information related to the ServiceStack licence please contact bjoern.hultqvist@gogift.com

Validations

mythz commented 1 year ago

It should now be reading "Permissions" from this commit. This change is now available from v6.9.1+ that's now available on MyGet.

Can you also please get Björn to update the Licenses registered support contact as you're currently not an authorized user, thanks.