Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

breakfix: RBAC can't access [realm_access-roles] #345

Open
bakabaka0613 opened this issue Jun 12, 2024 · 3 comments
Open

breakfix: RBAC can't access [realm_access-roles] #345

bakabaka0613 opened this issue Jun 12, 2024 · 3 comments
Assignees
@greenpau
Labels
breakfix need triage

Comments

@bakabaka0613
Copy link

Describe the issue**

RBAC can't access:

  • realm_access - roles
  • app_metadata - authorization - roles

Expected behavior
According the documentation
By default, the plugin should finds role information in the following token fields:

  • roles
  • role
  • group
  • groups
  • app_metadata - authorization - roles
  • realm_access - roles
@qrkourier
Copy link

qrkourier commented Jul 28, 2024
edited
Loading

I believe I am experiencing this issue and have documented my approach to setting app_metadata.authorization.roles in this Auth0 thread.

I think the next step for me to confirm the condition is to find a way to access the portal's /whoami page so I can inspect the token received by Caddy Security. Presently, I am always redirected to /login with I visit that page, even when I'm already authenticated.

EDIT: I found the tokens in the log

		authentication portal authn {
			crypto default token lifetime 3600
			crypto key sign-verify {env.JWT_SHARED_KEY}
			enable identity provider auth0
			cookie domain {$ZROK_DNS_ZONE}
			ui {
				links {
					"Homepage" "https://www.example.com" icon "las la-home"
					"My Account Info" "/whoami" icon "las la-user"
				}
			}
		}

		authorization policy authz {
			set auth url https://auth.example.com/oauth2/generic
			crypto key verify {env.JWT_SHARED_KEY}
			allow roles user
			validate bearer header
			inject headers with claims
		}

@qrkourier
Copy link

qrkourier commented Jul 28, 2024
edited
Loading

Although I can not access the portal's account info page when the provider is enabled (link to open issue describing the same symptom), only when local store is enabled, I do see the debug logs that include the id token and access token from the provider.

Strangely, the access token has no claims. Only the header and signature are defined. The OAuth 2.0 server access token from Auth0, which is a JWT, looks like this asdklfjhasdkljh..lkjhasdlkjhasdlkjhsadlkjhasdflkjhasdf (zero bytes in the claimset between header and signature).

Then Caddy Security does something unexpected.

DEBUG: decoded claims from OAuth 2.0 authorization server access token

The claims shown next are from the OIDC id token, not the OAuth access token. Maybe Caddy Security has confused the two?

@greenpau
Copy link
Owner

The claims shown next are from the OIDC id token

@qrkourier , see the below source code references. https://github.com/search?q=repo%3Agreenpau%2Fgo-authcrunch%20id_token&type=code

Happy to jump on google meet to troubleshoot. Feel free to reach me on LinkedIn.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
breakfix need triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@qrkourier @greenpau @bakabaka0613