JwtAuthenticationMechanism cannot instantiate

[zaltanar]

The JwtAuthenticationMechanism never instantiate, due to configuration problems with fixedRoles and claimRoles.

Expected Behavior

The plugin should start when setting value for fixedRoles or claimRoles (but not both).

Current Behavior

When setting either one or other of this parameter the instantiation fail because the plugin want the empty one to be not null. But when setting both, the instantitaion fail beacause both are set.

Context

Trying to authorize user with a JWT token generated from a centralized authentication mechanism.

Environment

Running on K8S with : softinstigate/restheart:7.2.3 bitnami/mongodb:6.0-debian-11

Steps to Reproduce

    /jwtAuthenticationMechanism:
      enabled: true
      base64Encoded: false
      algorithm: HS256
      key: secret
      usernameClaim: email
      issuer: myIssuer
      audience: myClientId
      rolesClaim: null
      fixedRoles:
        - jwt-gitlab

 08:43:59.209 [main] DEBUG org.restheart.plugins.PluginsFactory - Injecting config into field config of class org.restheart.security.mechanisms.JwtAuthenticationMechanism
 08:43:59.213 [main] ERROR org.restheart.Bootstrapper - Error instantiating plugins
 org.restheart.configuration.ConfigurationException: Error injecting dependencies into Authentication Mechanism jwtAuthenticationMechanism
        at org.restheart.plugins.PluginsFactory.invokeOnInitMethods(PluginsFactory.java:398)
Caused by: org.restheart.configuration.ConfigurationException: The plugin requires the argument 'rolesClaim'
        at org.restheart.plugins.ConfigurablePlugin.argValue(ConfigurablePlugin.java:42)
08:43:59.213 [main] INFO  org.restheart.Bootstrapper - Stopping RESTHeart...
 08:43:59.213 [main] INFO  org.restheart.Bootstrapper - Removing the pid file /var/run/restheart-0.pid
 08:43:59.213 [main] INFO  org.restheart.Bootstrapper - Cleaning up temporary directories...
 08:43:59.214 [main] INFO  org.restheart.Bootstrapper - RESTHeart stopped

Others tests :

      rolesClaim: groups_direct
      fixedRoles:
        - jwt-gitlab
Caused by: org.restheart.configuration.ConfigurationException: wrong JWT configuration, cannot set both 'rolesClaim' and 'fixedRoles'

       rolesClaim: groups_direct
      fixedRoles:
      #  - jwt-gitlab
Caused by: org.restheart.configuration.ConfigurationException: The plugin requires the argument 'fixedRoles'

Possible Implementation

I think this code make both parameters mandatory : https://github.com/SoftInstigate/restheart/blob/8de33c30b765ce6c18ba76b7d2e6875d4e790e00/security/src/main/java/org/restheart/security/mechanisms/JwtAuthenticationMechanism.java#L97

[ujibang]

Fixed in 7.2.5

The code that you pointed out arg(config, "rolesClaim") and arg(config, "fixedRoles"); in JwtAuthenticationMechanism makes the properties rolesClaim and fixedRoles both mandatory by throwing ConfigurationException if the keys are not present in config

This is fixed simply using argOrDefault(config, "rolesClaim", null)

However there is another bug in your case. Setting rolesClaim: null should definitely work, in this case arg(config, "rolesClaim") actually returns null and does not throws ConfigurationException.

To demonstrate this, try the following; it works:

$ RHO='/jwtAuthenticationMechanism/enabled->true;/jwtAuthenticationMechanism/rolesClaim->null;/jwtAuthenticationMechanism/fixedRoles->["admin"]' java -jar restheart.jar

Overriding rolesClaim via the RHO env variable works. When overriding via the json override file it does not.

I figured out that Gson, that is used to parse the configuration override json file, does not serialize keys with null values by default. It needs to be set up accordingly.

This is fixed in 7.2.5 as well.

Thanks, you killed two birds with a stone!

Test it and reopen the issue if you find any problem.

(takes up to 1h to have the artifacts available from maven central but the docker images are already available).