Closed zaltanar closed 1 year ago
Fixed in 7.2.5
The code that you pointed out arg(config, "rolesClaim")
and arg(config, "fixedRoles");
in JwtAuthenticationMechanism
makes the properties rolesClaim
and fixedRoles
both mandatory by throwing ConfigurationException
if the keys are not present in config
This is fixed simply using argOrDefault(config, "rolesClaim", null)
However there is another bug in your case. Setting rolesClaim: null
should definitely work, in this case arg(config, "rolesClaim")
actually returns null
and does not throws ConfigurationException
.
To demonstrate this, try the following; it works:
$ RHO='/jwtAuthenticationMechanism/enabled->true;/jwtAuthenticationMechanism/rolesClaim->null;/jwtAuthenticationMechanism/fixedRoles->["admin"]' java -jar restheart.jar
Overriding rolesClaim
via the RHO
env variable works. When overriding via the json override file it does not.
I figured out that Gson
, that is used to parse the configuration override json file, does not serialize keys with null values by default. It needs to be set up accordingly.
This is fixed in 7.2.5 as well.
Thanks, you killed two birds with a stone!
Test it and reopen the issue if you find any problem.
(takes up to 1h to have the artifacts available from maven central but the docker images are already available).
The JwtAuthenticationMechanism never instantiate, due to configuration problems with fixedRoles and claimRoles.
Expected Behavior
The plugin should start when setting value for fixedRoles or claimRoles (but not both).
Current Behavior
When setting either one or other of this parameter the instantiation fail because the plugin want the empty one to be not null. But when setting both, the instantitaion fail beacause both are set.
Context
Trying to authorize user with a JWT token generated from a centralized authentication mechanism.
Environment
Running on K8S with : softinstigate/restheart:7.2.3 bitnami/mongodb:6.0-debian-11
Steps to Reproduce
Others tests :
Possible Implementation
I think this code make both parameters mandatory : https://github.com/SoftInstigate/restheart/blob/8de33c30b765ce6c18ba76b7d2e6875d4e790e00/security/src/main/java/org/restheart/security/mechanisms/JwtAuthenticationMechanism.java#L97