search

overture-stack / ego

OAuth 2.0 authorization service that supports multiple OpenID identity providers
https://www.overture.bio/products/ego
GNU Affero General Public License v3.0
26 stars 14 forks source link

BUG - Application JWTs are generated but are being rejected by the Ego APIs #649

Closed joneubank closed 2 years ago

joneubank commented 2 years ago

After fetching a JWT using Application credentials, attempting to use this JWT as a Bearer token auth to access the Ego user api (get user by ID) results in a 401 forbidden. This endpoint is available using Basic auth directly.

Description

Expected Behaviour

Request should authorize the request using Application JWT as Bearer Token.

Actual Behaviour

Receive 401 Forbidden HTTP response.

Possible Fix

The Ego logs indicate that they failed to convert the JWT into an ApplicationJWT object, and thus the security filter rejects the request:

2022-05-26 00:50:33,967 [http-nio-8081-exec-7] WARN  b.o.e.s.JWTAuthorizationFilter - Token is valid but not a User JWT
2022-05-26 00:50:33,969 [http-nio-8081-exec-7] WARN  b.o.e.s.JWTAuthorizationFilter - Token is valid but not an Application JWT
2022-05-26 00:50:33,974 [http-nio-8081-exec-7] ERROR o.a.c.c.C.[.[.[.[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
bio.overture.ego.model.exceptions.ForbiddenException: Bad Token
    at bio.overture.ego.security.JWTAuthorizationFilter.authenticateUserOrApplication(JWTAuthorizationFilter.java:132)

Take a look at the token conversion code and make sure this is working with both user and application JWTs and this should work again.

Steps to Reproduce

  1. Get Application JWT: curl --request POST 'https://ego-host.example.com/api/oauth/token?grant_type=client_credentials&client_id=applicationId&client_secret=applicationPass'
  2. Request user details using the JWT returned in the first response: curl --request GET 'https://ego-host.example.com/api/users/11111111-1111-1111-1111-111111111111' --header 'Authorization: Bearer asdfasdfasdf' Second request will return error instead of returning user data.

Your Environment

Tested vs Argo prod and dev. Ego version: 5.3.0

b-f-chan commented 2 years ago

Releasing first to Overture then move it over to ARGO

Create ticket to release this in platform? Can do this outside of release process to unblock this issue?

b-f-chan commented 2 years ago

Ego 5.4.0 released to Platform, closing