search

hasura / graphql-engine

Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.
https://hasura.io
Apache License 2.0
31.16k stars 2.76k forks source link

JWT `claims_map` does not work when `claims_format` is `stringified_json` #8341

Open ahobsonsayers opened 2 years ago

ahobsonsayers commented 2 years ago

Version Information

Server Version: v2.2.2

Environment

Cloud

What is the expected behaviour?

claims_map with valid JSONPaths can be used when claims_format is stringified_json

Keywords

jwt, claims_map, claims_format, stringified_json, cognito, jsonpath

What is the current behaviour?

When JWT claims_format is stringified_json, you are not able to specify a claims_map with JSON Paths. If you do, you get the following error when making a query or mutation:

JWT claim from claims_map, x-hasura-user-id not found

How to reproduce the issue?

  1. Set the HASURA_GRAPHQL_JWT_SECRET environmental variable to: 
    {
"type": "RS256",
"jwk_url": "https://<cognito-user-pool-url>/.well-known/jwks.json",
"issuer": "https://<cognito-user-pool-url>",
"claims_namespace": "test",
"claims_format": "stringified_json",
"claims_map": {
"x-hasura-user-id": { "path": "$.test.user_id" },
"x-hasura-default-role": { "path": "$.test.default_role", "default": "user" },
"x-hasura-allowed-roles": { "path": "$.test.roles", "default": ["user"] }
},
"header": { "type": "Authorization" }
}
  2. Attempt to make a query/mutation

Any possible solutions?

Sorry, no!

Can you identify the location in the source code where the problem exists?

No :(

If the bug is confirmed, would you be willing to submit a PR?

Unfortunately not

purugupta99 commented 2 years ago

Hi @ahobsonsayers, when you are using claims_map, you cannot use claims_namespace or claims_format, you need to have the claims map as a proper JSON object. This is due to the fact that namespace and map are 2 different methods to provide the JWT config to hasura. If claims_namespace is set, hasura will try to find the required/default keys in the root of the namespace whereas when claims_map is set, hasura will try to find the keys on the specified paths, hence these methods are quite different from each other and should not be used together. (claims_format cannot be used with claims map, this follows from the point that we need a new key to assign the json string but there isn't a way to convey this new key name to hasura).

This probably doesn't solve your issue but there isn't a straightforward way to use claims_map with claims_format: stringified_json.