Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wildcard in JSON path for claims_map #10524

Open
viico opened this issue Sep 4, 2024 · 0 comments
Open

Wildcard in JSON path for claims_map #10524

viico opened this issue Sep 4, 2024 · 0 comments
Labels
c/server Related to server k/bug Something isn't working v2-engine v2

Comments

@viico
Copy link

viico commented Sep 4, 2024
edited
Loading

Version Information

Server Version: 2.43.0

Environment

Self hosted with docker-compose (docker tag hasura/graphql-engine:v2.43.0).

Context

We use Hasura with Casdoor, we follow this 2 docs :

We use claims_map to map x-hasura-allowed-roles, x-hasura-default-role and x-hasura-user-id fields from the casdoor token fields. Here is our value for HASURA_GRAPHQL_JWT_SECRET environment variable.

{
    "claims_map": {
        "x-hasura-allowed-roles": {
            "path": "$.roles[\"*\"].name"
        },
        "x-hasura-default-role": {
            "path": "$.roles[0].name"
        },
        "x-hasura-user-id": {
            "path": "$.id"
        }
    },
    "jwk_url": "https://casdoor.d2d.sncf.fr/.well-known/jwks"
}

What is the current behaviour?

We have a problem on the x-hasura-allowed-roles field, the error from Hasura is : 'JWT claim does not contain "x-hasura-allowed-roles.

  • we verify the token sent to Hasura and we have 2 role objects in the roles array (with name field)
  • all the authentication works well when we define a default value for x-hasura-allowed-roles in the claims_map

I guess problem come from the JSON path $.roles[\"*\"].name, we try different solution :

  • "$.roles[*].name", error at startup : Fatal Error:- Environment variable HASURA_GRAPHQL_JWT_SECRET: Error in $['claims_map']: $.roles[*].name. Accept letters, digits, underscore (_) or hyphen (-) only. Use quotes enclosed in bracket (["..."]) if there is any special character
  • "$.roles['*'].name", same error : 'JWT claim does not contain "x-hasura-allowed-roles

What is the expected behaviour?

x-hasura-allowed-roles field contains an array of role name's provided by the casdoor token.

How to reproduce the issue?

  1. follow the doc for setup casdoor and hasura
  2. create a user in casdoor with hasura's role
  3. use the image hasura/graphql-engine:v2.43.0 in the docker-compose file
  4. set environment variable : - HASURA_GRAPHQL_JWT_SECRET={"claims_map":{"x-hasura-allowed-roles":{"path":"$$.roles[\"*\"].name"},"x-hasura-default-role":{"path":"$$.roles[0].name"},"x-hasura-user-id":{"path":"$$.id"}},"jwk_url":"https://casdoor.d2d.sncf.fr/.well-known/jwks"}
  5. try to call hasura with a casdoor user token
@viico viico added the k/bug Something isn't working label Sep 4, 2024
@rakeshkky rakeshkky added the c/server Related to server label Sep 5, 2024
@rakeshkky rakeshkky assigned danieljharvey and unassigned rakeshkky Sep 10, 2024
@danieljharvey danieljharvey removed their assignment Oct 22, 2024
@danieljharvey danieljharvey added the v2-engine label Oct 22, 2024 — with Linear
@manasag manasag added the v2 label Nov 7, 2024 — with Linear
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c/server Related to server k/bug Something isn't working v2-engine v2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@danieljharvey @manasag @rakeshkky @viico