Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
When tokenType = jwt, scope restriction doesn't work.
See original GitHub issueEDIT:(For anyone who fac[ed|ing] this issue.) (after talking to Vincenzo)
Here’s the problem: with so many ways to represent the scopes and not a standardized way to expose these, Express Gateway would be in trouble in doing so.
The problem we have is that Express Gateway can’t locate scopes in a JWT — because it’s location is unpredictable.
You have two ways to fix this:
- Use a plugin able to extract the scopes from the token — such as https://github.com/XVincentX/apigateway-playground/blob/microservice-gateway-hypermedia-kubernetes/gateway/jwtScopes.js
- You can put the scopes on the credential directly, following our guide on express-gateway.io
Tried to restrict an apiEndpoint with scopes, and any logged user , with any role, could pass through to the proxy level. After few tries, I figured this case happens only when the tokenType is “jwt”. When commenting the tokenType with it’s props (issuer, audience,subject), the scopes restriction works perfectly.
Config references (bugged reference as reproduce steps):
apiEndpoint :
apiEndpoints:
exampleApi:
port: *gatewaySecurePort
host: *gatewayHost
paths:
- "/example/*"
scopes:
- 'exampleAdmin'
pipeline :
example-api:
apiEndpoints:
- exampleApi
policies:
- oauth2:
- action:
jwt:
<<: *jwtStrategy
- rewrite:
- condition:
name: allOf
conditions:
- name: authenticated
- name: pathmatch
match: "/example/:route*"
action:
rewrite: "/:route"
- proxy:
- condition:
name: authenticated
action:
serviceEndpoint: exampleServiceApi
changeOrigin: true
systemConfig.accessTokens :
accessTokens:
timeToExpiry: 7200000
tokenType: "jwt"
issuer: "example issuer"
audience: "example audience"
subject: "example subject"
secretOrPrivateKey: "very_secret_thing_example"
Issue Analytics
- State:
- Created 5 years ago
- Comments:10 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Yes — you’re experiencing exactly the same issue. I wrote you a workaround in the Gitter channel (that is — use this)
Because talking about possibilities with JWT is always confusing, I’m just going to take a moment to provide a refresher on different ways JWTs manifest in authentication/authorization.
There are actually 3 ways we could potentially use JWT in a gateway.
I think in use cases 1 and 3, we could potentially take JWTs issued by an Identity Provider, and in those cases, we’d need some indication of assigned scopes, likely via a custom claim.
For use case 2, I think we’d have to manage all of that internally. And if we’re managing it internally, we should be able to take advantage of our scope management.
I think this issue is referring to use case 2, which should not require a custom
scopesclaim in the JWT. Scope management should work for JWT access tokens the same exact way it works for opaque access tokens.@naorbe Feel free to comment if I’m missing something.