breakfix: RBAC can't access [realm_access-roles]

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐

https://authcrunch.com/

Apache License 2.0

1.39k stars 70 forks source link

breakfix: RBAC can't access [realm_access-roles] #345

Open bakabaka0613 opened 2 months ago

bakabaka0613 commented 2 months ago

Describe the issue**

RBAC can't access:

realm_access - roles
app_metadata - authorization - roles

Expected behavior According the documentation By default, the plugin should finds role information in the following token fields:

roles
role
group
groups
app_metadata - authorization - roles
realm_access - roles

qrkourier commented 1 month ago

I believe I am experiencing this issue and have documented my approach to setting app_metadata.authorization.roles in this Auth0 thread.

I think the next step for me to confirm the condition is to find a way to access the portal's /whoami page so I can inspect the token received by Caddy Security. Presently, I am always redirected to /login with I visit that page, even when I'm already authenticated.

EDIT: I found the tokens in the log

        authentication portal authn {
            crypto default token lifetime 3600
            crypto key sign-verify {env.JWT_SHARED_KEY}
            enable identity provider auth0
            cookie domain {$ZROK_DNS_ZONE}
            ui {
                links {
                    "Homepage" "https://www.example.com" icon "las la-home"
                    "My Account Info" "/whoami" icon "las la-user"
                }
            }
        }

        authorization policy authz {
            set auth url https://auth.example.com/oauth2/generic
            crypto key verify {env.JWT_SHARED_KEY}
            allow roles user
            validate bearer header
            inject headers with claims
        }

qrkourier commented 1 month ago

Although I can not access the portal's account info page when the provider is enabled (link to open issue describing the same symptom), only when local store is enabled, I do see the debug logs that include the id token and access token from the provider.

Strangely, the access token has no claims. Only the header and signature are defined. The OAuth 2.0 server access token from Auth0, which is a JWT, looks like this asdklfjhasdkljh..lkjhasdlkjhasdlkjhsadlkjhasdflkjhasdf (zero bytes in the claimset between header and signature).

Then Caddy Security does something unexpected.

DEBUG: decoded claims from OAuth 2.0 authorization server access token

The claims shown next are from the OIDC id token, not the OAuth access token. Maybe Caddy Security has confused the two?

greenpau commented 1 month ago

The claims shown next are from the OIDC id token

@qrkourier , see the below source code references. https://github.com/search?q=repo%3Agreenpau%2Fgo-authcrunch%20id_token&type=code

Happy to jump on google meet to troubleshoot. Feel free to reach me on LinkedIn.