[AM][gateway] JWT Bearer- can't use dynamic scope / role mapper

[bcollard]

When using the JWT bearer flow, I'm not able to use the role mapper with my LDAP IdP. I can map user attributes to claims but I can't map group membership to roles.

I double checked the group config in the LDAP IdP and the LDAP structure.

ISSUE copied from #3530 and adapted to the JWT bearer flow.

Expected Behavior

Given the following config for the Domain

Domain

Provider

Role

LDAP provider role mapping

JWT Bearer config

Client settings (in domain config)

For the Client

Client config

Client custom claim to get roles

Current Behavior

If the user is member of the admins group, then he should be affected the role "APP_ADMIN" and the scope "APP_ADMIN" should be added to the OAuth response.

But the role is not attached to the User AND the dynamic scope is not automatically added.

Request assertion

eyJraWQiOiJkZWZhdWx0LWdyYXZpdGVlLUFNLWtleSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJqZG9lIiwiYXVkIjoiZ3Jhdml0ZWUgQU0iLCJpc3MiOiJodHRwOi8vdHJ1c3RlZC1wZWVyLWRlbW8iLCJleHAiOjE1ODY4MjEwMDAsImlhdCI6MTU4NjgwNjYwMH0.TGfDnXj2MR-0mBB-YeYTbfPV_DHJV_HRhNlmfkDmDXa4YWSJfWBgMo0Gup5XHScxbLPgjXkGgEDQth5-FNrw3_x6Fcz4CQOap_S9Eju0ERvlfMVi91LioYpxFuBqpQYlMuNC-6DAwVlePz4umStIocwlbq53Pn9v-sGb9iyGCUk7AKwEkFIEoRwOH86PvRoywaZLmN2yoPj3XFs-tsvhoGCmBN-dG-IU3OZGky1eWUd2NZYX7I9fH8zkgmHzDaHVNmNRYDCWRxG2EC-LoAGUO5-4knjDD09MFAq8XpPWSjbO06lPQK7x509zj1CTIZgXlCQLS4aJGfKvNmPZWzzXww

Response payload

{
  "access_token" : "eyJraWQiOiJkZWZhdWx0LWdyYXZpdGVlLUFNLWtleSIsImFsZyI6IkhTMjU2In0.eyJzdWIiOiJqZG9lIiwiYXVkIjoidGVzdGluZy1jbGllbnQiLCJkb21haW4iOiJvaWRjLWxkYXAiLCJzY29wZSI6Im9wZW5pZCByb2xlcyBwcm9maWxlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdC9hbS9vaWRjLWxkYXAvb2lkYyIsImV4cCI6MTU4NjgxODY4MCwiaWF0IjoxNTg2ODExNDgwLCJqdGkiOiJ5czExT2NvVElHc3dNampHVHVQNDdnaVJNc1kifQ.tgO3SeYkntEGNPdOwFE5IUZjEzpELcI9n0NIgq3B-pU",
  "token_type" : "bearer",
  "expires_in" : 7199,
  "scope" : "openid roles profile",
  "id_token" : "eyJraWQiOiJkZWZhdWx0LWdyYXZpdGVlLUFNLWtleSIsImFsZyI6IkhTMjU2In0.eyJzdWIiOiJqZG9lIiwiYXVkIjoidGVzdGluZy1jbGllbnQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0L2FtL29pZGMtbGRhcC9vaWRjIiwibmlja25hbWUiOiJET0UsIEpvaG4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJqZG9lIiwiZXhwIjoxNTg2ODI1ODgwLCJnaXZlbl9uYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1ODY4MTE0ODB9.g6SqaJPswyPJef1HNHmjveMElGd5Apb1LX8_w9qgqQg"
}

Steps to Reproduce (for bugs)

1. OPTIONAL: git pull that openldap docker repo: https://github.com/bcollard/simple-openldap-docker (so that you see how the image run in the next step and you can have a look to the LDIF)
2. use that modified docker-compose.yml (picked from https://docs.gravitee.io/am/2.x/am_installguide_docker.html) with the LDAP service added: https://gist.github.com/bcollard/881b74433b3ea8bb85448fef67cbfb4a
3. run Apache Directory Studio and have a look to the LDAP structure (localhost:389 ; bind DN: cn=gravitee-am,ou=service-accounts,dc=mycompany,dc=corp bind pwd: gravitee-am base DN: dc=mycompany,dc=corp)
4. configure the AM as described above

Signature public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3nqaW/7T6VU3R2yfuC4ORMvhv/oVMI/qPlrovWVW2zVKWbxlsmzv9yD7dlZIjdptbC39P0CsMuRjPZS4XsRoVDpYpcvgKhfFhX+NkgFkcahM0X96ts/7C6p50sXBp6yz8XSHX93FeRx8WAEJGaTrpZNMaZty6o8UvZ3R6bZcDhwjOjeRL00M800bUT31Dcptdk9NqBd1SgGegY6GP2grABkMYnWDJZ6rEunq5DYM+oC4/WPb53BTmsUTPrN+NvGLPcUAVG9m+Syj79TAqQs0H/r9cPCTBAS64/r3BZusvuH0jp4DwyIOv76zEgRuKZCXjPBg6F/DtWOYgHntgWb5

Signature private key:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEApd56mlv+0+lVN0dsn7guDkTL4b/6FTCP6j5a6L1lVts1Slm8
ZbJs7/cg+3ZWSI3abWwt/T9ArDLkYz2UuF7EaFQ6WKXL4CoXxYV/jZIBZHGoTNF/
erbP+wuqedLFwaess/F0h1/dxXkcfFgBCRmk66WTTGmbcuqPFL2d0em2XA4cIzo3
kS9NDPNNG1E99Q3KbXZPTagXdUoBnoGOhj9oKwAZDGJ1gyWeqxLp6uQ2DPqAuP1j
2+dwU5rFEz6zfjbxiz3FAFRvZvkso+/UwKkLNB/6/XDwkwQEuuP69wWbrL7h9I6e
A8MiDr++sxIEbimQl4zwYOhfw7VjmIB57YFm+QIDAQABAoIBAGq3YiAv8hr7M5V2
QZ/dStxpTNd4wXiinuUxqyG0wR+Jt5aXd4viqQ4W7MR81XSmt5LRGCGocX6Y27Ix
655XcnxBPKzONwaJbnPpuTAncPfj3ElYPHGCbvtw/QSWJB+9NnMrdTKn7jJgAoDJ
yhjFxALMq6FtDNN5sAbDHGfyux4r+KFf738CxskkAbnMZKApachluQ8bBDE4gglw
ZR8s+uDs2a2VHGLznJzoLpwXic9XTPsN9tk4bvQyNZL3DI0mDv1XuzT+3mJeRgg3
AgGD8Cg06xneOUBBCq5T+6pur455frLnBKTihMsCnhlBSzEoLYuawdRWuE8YW+Al
ftSu2fUCgYEA0b9EYXdW2CzzPCTZ1A9GDVa/vjoodTM3WMk4l1l3yDAwBk/199zZ
xR+f4IjGjA3AYJPxc2woo5T4iUiNERDTn0OB+a3DPvw0Vasika2sH0QR+d+qZ7sy
8Q09JETf1YO5HA0cN6b4hsC7t4HRSSsWWxDGuTYyhvIFV+4wXfJTHbMCgYEAynIw
LVQyKygfnrykUKfMFgkibA9Z8mk9wK0BPBmTS5ml4SRvGgk2GUE0ILz8RBVbSRgU
F/pzU0hi7Cupi1SefHlR/ayX2/mLsxGdhXe5iYzOJ+InDPc0ORaEy+LkgCsXs2iC
D4rPwdSfN9fa+nl8C6dHVUGMLNLsFGF3V72hiqMCgYEAuAm7VkoASW4nfn5XI1rD
fLDBTYh6N1vZFG562VIHZ//gI6nFiNafvfchsUJR9FGcmyE0mrIsdlwgN1URcgfx
p6z0Pr/YsUtaIFEo4+ofPM/ddgJq4tm+uQOEwm4seIw7wAFA4RQAvTwfecTOfgTw
eLcfpyOG8iEpzx2QEt6tT0ECgYAsWJ8dDth+g6eJiiEkWd1m5lFYAnTdmRgh4MPo
emG9qcagbu63cVUcayAUG9HWyCba+B9OsVoZ4D1rJpVZJAwjkB/ZxbjuQtfLPgyX
dAZ8jw+JxQxw1qXl63zjfKw5NzdV4Yq8BNhFyWGnRe19+KanltkVX+po1ztHq6IM
4klEqQKBgHDk80l7UuMBVQEa/THh+BaAiGRhMktvBm4fFLbYDki1iotGF+7bRanh
G1jmB7c/w5rt+VFYYuoPGm0Z4/vmgxXLr5CEidLnWD0zny9YKB9GxaRRdjetEe00
kP5KDBH28ZEsAkLKDxe1P2TDpvrzGzG97FeprH9H/E9AbFGfkPpw
-----END RSA PRIVATE KEY-----

5. run this command curl -X POST "http://localhost/am/oidc-ldap/oauth/token?client_id=testing-client&client_secret=testing-client&scope=openid%20roles%20profile&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJraWQiOiJkZWZhdWx0LWdyYXZpdGVlLUFNLWtleSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJqZG9lIiwiYXVkIjoiZ3Jhdml0ZWUgQU0iLCJpc3MiOiJodHRwOi8vdHJ1c3RlZC1wZWVyLWRlbW8iLCJleHAiOjE1ODY4MjEwMDAsImlhdCI6MTU4NjgwNjYwMH0.TGfDnXj2MR-0mBB-YeYTbfPV_DHJV_HRhNlmfkDmDXa4YWSJfWBgMo0Gup5XHScxbLPgjXkGgEDQth5-FNrw3_x6Fcz4CQOap_S9Eju0ERvlfMVi91LioYpxFuBqpQYlMuNC-6DAwVlePz4umStIocwlbq53Pn9v-sGb9iyGCUk7AKwEkFIEoRwOH86PvRoywaZLmN2yoPj3XFs-tsvhoGCmBN-dG-IU3OZGky1eWUd2NZYX7I9fH8zkgmHzDaHVNmNRYDCWRxG2EC-LoAGUO5-4knjDD09MFAq8XpPWSjbO06lPQK7x509zj1CTIZgXlCQLS4aJGfKvNmPZWzzXww"

6. as you can see in the response payload, the scope is not added and neither is the roles claim.

Your Environment

• Version used: 2.10.11

[bcollard]

And yes, that works with the authorization code grant type, not the JWT bearer. Dynamic scopes + 'roles' claim are present.