Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

custom role claims in Id/Access tokens are missing in Micronaut generated JWTs #1558

Open
deepu105 opened this issue Jan 19, 2024 · 3 comments
Open

custom role claims in Id/Access tokens are missing in Micronaut generated JWTs #1558

deepu105 opened this issue Jan 19, 2024 · 3 comments

Comments

@deepu105
Copy link

Expected Behavior

Custom role claims should be added to generated JWTs

Actual Behaviour

When micronaut.security.authentication=cookie and if there are custom role claims in the IDToken from the IdP, they are not inlcuded in the JWT generated by JWTClaimsSetGenerator the below code is supposed to add all claims to the genrated JWT

    protected void populateWithAuthentication(JWTClaimsSet.Builder builder, Authentication authentication) {
        populateSub(builder, authentication);
        authentication.getAttributes().forEach(builder::claim);
        String rolesKey = tokenConfiguration.getRolesName();
        if (!rolesKey.equalsIgnoreCase(TokenConfiguration.DEFAULT_ROLES_NAME)) {
            builder.claim(ROLES_KEY, rolesKey);
        }
        builder.claim(rolesKey, authentication.getRoles());
    }

But it does not work since authentication.getRoles() always returns empty and hence the actual roles in original claim is overwritten.

The authentication.getRoles() call returns empty since DefaultOpenIdAuthenticationMapper has below implementation

  protected List<String> getRoles(String providerName, OpenIdTokenResponse tokenResponse, OpenIdClaims openIdClaims) {
      return Collections.emptyList();
  }

Is this implementation correct?

Steps To Reproduce

  1. Create an app mn create-app demo --features=security-jwt,security-oauth2
  2. Create custom claims with roles in the IdP
  3. add micronaut.security.token.roles-name=custom-roles in config
  4. check the JWT created by micronaut

Environment Information

  • Manjaro Linux\
  • openjdk 21.0.1 2023-10-17 LTS

Example Application

No response

Version

4.2.1
@sdelamo
Copy link
Contributor

sdelamo commented Jan 20, 2024

micronaut.security.authentication=idtoken will save the idtoken provided by the authentication provider in a cookie.

@deepu105
Copy link
Author

With idtoken, micronaut expects the client ID to be in the aud claim of an access token and access tokens from auth0 does not have that, thats why I switched to using cookie. Temporary I'm using a custom role finder to work around but regardless I think the roles should not be overwritten when using cookie.

@deepu105
Copy link
Author

deepu105 commented Jan 20, 2024
edited
Loading

Would it be ok to check if roles are present before overwriting in JWTClaimsSetGenerator? If acceptable, I can do a PR

protected void populateWithAuthentication(JWTClaimsSet.Builder builder, Authentication authentication) {
        populateSub(builder, authentication);
        authentication.getAttributes().forEach(builder::claim);
        String rolesKey = tokenConfiguration.getRolesName();
        if (!rolesKey.equalsIgnoreCase(TokenConfiguration.DEFAULT_ROLES_NAME)) {
            builder.claim(ROLES_KEY, rolesKey);
        }
        If (!authentication.getRoles().isEmpty()) {
            builder.claim(rolesKey, authentication.getRoles());
        }
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sdelamo @deepu105